dmidecode-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [dmidecode] Root requirement

From: Jean Delvare
Subject: Re: [dmidecode] Root requirement
Date: Thu, 8 Oct 2009 22:38:10 +0200 
Hi Clint,

On Wed, 7 Oct 2009 17:18:28 -0400, Bowen, Clint wrote:
> What is the rationale for requiring root for dmidecode?

Both technical (/dev/mem can only be read by root) and functional (not
everyone wants all users of a system to be able to retrieve its serial
numbers or BIOS version.)

> Assuming this is a technical requirement, has the suid bit been
> considered? 

Considered by who? The decision to set the suid bit on a binary is
taken by the system administrator, or possibly the distribution, not
the software author.

Anyway, I don't see the point of doing this. In general users don't
need to know what hardware they are running on. At least not up to the
level of details provided by dmidecode.

> I don't see anything in the output that I don't want an upriv user
> to access.

Look better. Or maybe _you_ don't have a problem with the data, but
others (including me) do.

> If there is, might this be mitigated by creating a group 'dmidecode',
> which with group membership would allow unpriv access?  I ask since
> we have an inventory tool that wants the system serial number, for
> example, that doesn't seem to exist anywhere else.

Again, this is all under the responsibility of the system's
administrator. If you want a non-root user to access the DMI data,
there are plenty of ways this can be implemented. The suid bit is
probably the worse solution. Generally speaking, setting the suid bit
is almost always the wrong thing to do, no matter what problem you're
trying to solve. And when it comes to dmidecode... Don't get me wrong,
I trust my code to be correct, dmidecode went through valgrind many
times. But a suid bit set on a binary which reads /dev/mem... Brrr.
(Although this should get safer now that Linux has the /dev/mem access
restriction mechanism. But still.)

As already mentioned by Vladimir, sudo is one possibility. You could
also run dmidecode as root at boot time and store the output somewhere
in /var/log, with proper file group and permissions so that your
inventory tool can read it, possibly filtering data on the fly if
needed.

Note that recent versions of the Linux kernel export some DMI data to
sysfs. Look in /sys/class/dmi/id (or /sys/devices/virtual/dmi/id). But
you'll find out that serial numbers are readable only by root there as
well. So there seems to be a consensus that serial numbers shouldn't be
disclosed to all users.

-- 
Jean Delvare
http://khali.linux-fr.org/wishlist.html
reply via email to
[Prev in Thread] Current Thread [Next in Thread]