HPE Community
Operating System - HP-UX
1755516 Members
4426 Online
108834 Solutions
New Discussion юеВ

/dev/rmt permissions - default

 
SOLVED
Go to solution
ConnieK
Regular Advisor

тАО08-24-2000 10:36 AM

тАО08-24-2000 10:36 AM

/dev/rmt permissions - default

I have been notified by our security office of a "finding" in regard to the permissions granted on /dev/rmt/* (the tape devices). They have stated that the permissions that are set on each device/tape allow "others" to have access and possibly erase data on a tape. The permissions are now crw-rw-rw- (766) and need to be changed to 760. My questions are:
1. Will changing the permissions cause any problems?
2. Is this an HP default setting?
Thanks in advance for your responses!
Independent by nature
0 Kudos
Reply
3 REPLIES 3
Antoanetta Naghiu
Esteemed Contributor

тАО08-24-2000 10:42 AM

тАО08-24-2000 10:42 AM

Re: /dev/rmt permissions - default

The default is 666 under bin:bin ownership.
If changed to 660, that means you take away from users the possibility to backup/restore.
It is not a big issue, but as well I do not see a huge security problem here. Maybe other devices...
0 Kudos
Reply
Victor BERRIDGE
Honored Contributor

тАО08-24-2000 10:47 AM

тАО08-24-2000 10:47 AM

Re: /dev/rmt permissions - default

As Antoanetta mentioned, it is read write for other in order to let anyone use the tape drive, not only backup purpose...I dont see anything wrong or issue to that...
Regards
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО08-24-2000 01:46 PM

тАО08-24-2000 01:46 PM

Solution

Re: /dev/rmt permissions - default

Each system admin should review the permissions on all device files. For a large server, tapes should never be accessible by users since most backup programs have no security code to allow reading of the tape. Consider a backup of porprietary data like personnel records or financial data. All the protection in unix through file and directory permissions is useless once the data is on a tape.

While the ordinary user can't restore files into directories owned by root, someone could restore these files into a local directory with simple commands like chroot. By restricting the tape device files to 600 or 660 (7 is meaningless as the tape device files are not executable), only root can read or write tapes.

Same thing for all disk device files. *NO* read or write permissions for ordinary users. If these device files were readable (whether lvols or physical disks), a hacker to read the raw data on any disk and bypass all file/directory protection.


Bill Hassell, sysadmin
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.