dmidecode-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [dmidecode] Root requirement

From: Vladimir 'phcoder' Serbinenko
Subject: Re: [dmidecode] Root requirement
Date: Thu, 08 Oct 2009 00:04:45 +0200
User-agent: Mozilla-Thunderbird 2.0.0.22 (X11/20090701) 
Bowen, Clint wrote:
> What is the rationale for requiring root for dmidecode?  
In order to find DMI tables dmidecode needs to access physical memory
(through /dev/mem)
On Mac OSX it would be possible to retrieve SMBIOS through ioreg but my
patch to interpret data from ioreg was declined.
> Assuming this is a technical requirement, has the suid bit been considered? 
> I don't see anything in the output that I don't want an upriv user to access. 
>  If there is, might this be mitigated by creating a group 'dmidecode', which 
> with group membership would allow unpriv access?  I ask since we have an 
> inventory tool that wants the system serial number, for example, that doesn't 
> seem to exist anywhere else.
>
>   
Each suid binary is a potential security hole. In most cases
unprivilegied user doesn't need to know on which system he is and so
dmidecode is useless for him.
Security considerations:
1) Some BIOSes export encryption key from token through SMBIOS
2) if SMBIOS anchor is faulty dmidecode may dump a random chunk of
memory which is a security hole

In light of this I would say that setuid'ing dmidecode is a bad idea but
I acknowledge that non-root dmidecode may be useful. For these cases the
right tool is sudo. E.g. in your sudoers file:
%dmidecode ALL=(root) NOPASSWD: /sbin/dmidecode ""
> --
> Clint Bowen - RHCE
> Linux Team Lead
> Platform Services
> Information Technology Services
> State of North Carolina
> 919.754.6278
>
> ############################NOTICE######################################
> E-mail correspondence to and from this address may be subject to the
> North Carolina Public Records Law and may be disclosed to third parties
> by an authorized state official.
> ########################################################################
>
> E-mail correspondence to and from this address may be subject to the North 
> Carolina Public Records Law and may be disclosed to third parties by an 
> authorized state official.
>
>
> _______________________________________________
> http://lists.nongnu.org/mailman/listinfo/dmidecode-devel
>
>   


-- 
Regards
Vladimir 'phcoder' Serbinenko
Personal git repository: http://repo.or.cz/w/grub2/phcoder.git
reply via email to
[Prev in Thread] Current Thread [Next in Thread]