[Nut-upsdev] Re: [nut-commits] svn commit r831 - in trunk: .
Charles Lepple
clepple at gmail.com
Fri Mar 2 15:37:50 CET 2007
On 2/27/07, Peter Selinger <selinger at mathstat.dal.ca> wrote:
> Perhaps a simple solution is to make the ups group, as well as the ups
> user, configurable.
No objections here.
> Actually, I don't understand why the hotplugging
> script uses these permissions:
>
> -rw-rw---- 1 root ups 52 Feb 27 17:32 002
>
> and not these other, more portable ones:
>
> -rw------- 1 ups root 52 Feb 27 17:32 002
>
> Here "ups" will be replaced by the configured user, of course.
>
> Is there a reason for these permissions, anyone? Would it break the
> Debian packaging (from which the hotplug scripts were originally
> taken) if we used a user instead of a group?
In general, when you want to isolate the amount of damage that a
process can do, you don't give that process ownership of a file,
device node or socket - you just give it group read-write permission.
That said, I'm not sure what the practical difference is, besides
making it harder for someone trying to exploit a potential buffer
overrun in the driver. It's complicated further by the fact that some
of the distributions are still using /proc/bus/usb (usbdevfs), and
others are using udev to create a regular directory with links and
character device nodes that point to the same things that usbdevfs
points to.
--
- Charles Lepple
More information about the Nut-upsdev
mailing list