[ewg] Allowing ib dignostics to be run without being logged in as root.
Roland Dreier
rdreier at cisco.com
Wed Jun 2 11:58:45 PDT 2010
> > $> cat /etc/udev/rules.d/80-ib-umad.rules
> > KERNEL=="umad*", NAME="infiniband/%k", MODE="0666"
> It is not the same. Your propose to expose /dev/infiniband/umad device
> access to all world, which is obviously even more dangerous than SUIDing
> diagnostic programs.
Well, different threats. Making umad files world-writable means anyone
can inject whatever MADs they want to into the fabric. On the other
hand, if an arbitrary code execution security hole is found in a
diagnostic program, then having it SUID root means the hole becomes a
local root exploit. It's hard to assess which is really more dangerous.
--
Roland Dreier <rolandd at cisco.com> || For corporate legal information go to:
http://www.cisco.com/web/about/doing_business/legal/cri/index.html
More information about the ewg
mailing list