[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [dmidecode] Root requirement
From: |
Vladimir 'phcoder' Serbinenko |
Subject: |
Re: [dmidecode] Root requirement |
Date: |
Thu, 08 Oct 2009 00:04:45 +0200 |
User-agent: |
Mozilla-Thunderbird 2.0.0.22 (X11/20090701) |
Bowen, Clint wrote:
> What is the rationale for requiring root for dmidecode?
In order to find DMI tables dmidecode needs to access physical memory
(through /dev/mem)
On Mac OSX it would be possible to retrieve SMBIOS through ioreg but my
patch to interpret data from ioreg was declined.
> Assuming this is a technical requirement, has the suid bit been considered?
> I don't see anything in the output that I don't want an upriv user to access.
> If there is, might this be mitigated by creating a group 'dmidecode', which
> with group membership would allow unpriv access? I ask since we have an
> inventory tool that wants the system serial number, for example, that doesn't
> seem to exist anywhere else.
>
>
Each suid binary is a potential security hole. In most cases
unprivilegied user doesn't need to know on which system he is and so
dmidecode is useless for him.
Security considerations:
1) Some BIOSes export encryption key from token through SMBIOS
2) if SMBIOS anchor is faulty dmidecode may dump a random chunk of
memory which is a security hole
In light of this I would say that setuid'ing dmidecode is a bad idea but
I acknowledge that non-root dmidecode may be useful. For these cases the
right tool is sudo. E.g. in your sudoers file:
%dmidecode ALL=(root) NOPASSWD: /sbin/dmidecode ""
> --
> Clint Bowen - RHCE
> Linux Team Lead
> Platform Services
> Information Technology Services
> State of North Carolina
> 919.754.6278
>
> ############################NOTICE######################################
> E-mail correspondence to and from this address may be subject to the
> North Carolina Public Records Law and may be disclosed to third parties
> by an authorized state official.
> ########################################################################
>
> E-mail correspondence to and from this address may be subject to the North
> Carolina Public Records Law and may be disclosed to third parties by an
> authorized state official.
>
>
> _______________________________________________
> http://lists.nongnu.org/mailman/listinfo/dmidecode-devel
>
>
--
Regards
Vladimir 'phcoder' Serbinenko
Personal git repository: http://repo.or.cz/w/grub2/phcoder.git