* [Bluez-users] ciptool setuid
@ 2004-04-29 20:30 Achim Bohnet
2004-04-29 22:35 ` Nicholas A. Preyss
2004-04-29 22:44 ` Marcel Holtmann
0 siblings, 2 replies; 5+ messages in thread
From: Achim Bohnet @ 2004-04-29 20:30 UTC (permalink / raw
To: BlueZ Mailing List
Hi,
In debian members of group dip and dialout and use modem/isdn devices.
Unfortunately it looks like that one need to be root to run ciptool
and make the isdn controler via bluetooth available.
Question: Are there other methods to enable members of group dialout
to use ciptool that making it setuid root? If not is it safe to
install ciptool by default like
=2Drwsr-x--- 1 root dialout 8368 2004-01-26 23:22 /usr/bin/cipt=
ool
So all group member of dialout can run it. All capi devices are
accessible by dialout members:
# l /dev/capi*
crw-rw---- 1 root dialout 68, 0 2004-03-22 14:00 /dev/capi20
crw-rw---- 1 root dialout 68, 1 2004-03-22 14:00 /dev/capi20.00
crw-rw---- 1 root dialout 68, 2 2004-03-22 14:00 /dev/capi20.01
=46rom a look at the usage/source it seem that ciptool really only allows
to 'create'/'release' a capi controlers.
Achim
=2D-=20
To me vi is Zen. To use vi is to practice zen. Every command is
a koan. Profound to the user, unintelligible to the uninitiated.
You discover truth everytime you use it.
-- reddy@lion.austin.ibm.com
-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Bluez-users mailing list
Bluez-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-users
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Bluez-users] ciptool setuid
2004-04-29 20:30 [Bluez-users] ciptool setuid Achim Bohnet
@ 2004-04-29 22:35 ` Nicholas A. Preyss
2004-04-29 22:44 ` Marcel Holtmann
1 sibling, 0 replies; 5+ messages in thread
From: Nicholas A. Preyss @ 2004-04-29 22:35 UTC (permalink / raw
To: BlueZ Mailing List
On 0, Achim Bohnet <ach@mpe.mpg.de> wrote:
> In debian members of group dip and dialout and use modem/isdn devices.
> Unfortunately it looks like that one need to be root to run ciptool
> and make the isdn controler via bluetooth available.
>
> Question: Are there other methods to enable members of group dialout
> to use ciptool that making it setuid root? If not is it safe to
> install ciptool by default like
>
> -rwsr-x--- 1 root dialout 8368 2004-01-26 23:22 /usr/bin/ciptool
Using sudo is the preferable way from security point of view.
nicholas
-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Bluez-users mailing list
Bluez-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-users
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Bluez-users] ciptool setuid
2004-04-29 20:30 [Bluez-users] ciptool setuid Achim Bohnet
2004-04-29 22:35 ` Nicholas A. Preyss
@ 2004-04-29 22:44 ` Marcel Holtmann
2004-04-30 8:28 ` Nicholas A. Preyss
1 sibling, 1 reply; 5+ messages in thread
From: Marcel Holtmann @ 2004-04-29 22:44 UTC (permalink / raw
To: Achim Bohnet; +Cc: BlueZ Mailing List
Hi Achim,
> In debian members of group dip and dialout and use modem/isdn devices.
> Unfortunately it looks like that one need to be root to run ciptool
> and make the isdn controler via bluetooth available.
everybody with CAP_NET_ADMIN can create or release a CIP device.
Regards
Marcel
-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Bluez-users mailing list
Bluez-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-users
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Bluez-users] ciptool setuid
2004-04-30 8:28 ` Nicholas A. Preyss
@ 2004-04-30 7:56 ` Marcel Holtmann
0 siblings, 0 replies; 5+ messages in thread
From: Marcel Holtmann @ 2004-04-30 7:56 UTC (permalink / raw
To: Nicholas A. Preyss; +Cc: BlueZ Mailing List
Hi Nicholas,
> > everybody with CAP_NET_ADMIN can create or release a CIP device.
>
> But with this capability he gains a lot of right about any kind of net
> traffic and devices. So I personally think, using sudo with a predefined set of
> allowed arguments is a more secure way.
I never tried it, but as far as I know you can assign a capability to a
specific executable for a specific user. However using sudo is also nice
way.
Regards
Marcel
-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Bluez-users mailing list
Bluez-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-users
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Bluez-users] ciptool setuid
2004-04-29 22:44 ` Marcel Holtmann
@ 2004-04-30 8:28 ` Nicholas A. Preyss
2004-04-30 7:56 ` Marcel Holtmann
0 siblings, 1 reply; 5+ messages in thread
From: Nicholas A. Preyss @ 2004-04-30 8:28 UTC (permalink / raw
To: BlueZ Mailing List
On 0, Marcel Holtmann <marcel@holtmann.org> wrote:
> > In debian members of group dip and dialout and use modem/isdn devices.
> > Unfortunately it looks like that one need to be root to run ciptool
> > and make the isdn controler via bluetooth available.
>
> everybody with CAP_NET_ADMIN can create or release a CIP device.
But with this capability he gains a lot of right about any kind of net
traffic and devices. So I personally think, using sudo with a predefined set of
allowed arguments is a more secure way.
nicholas
-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Bluez-users mailing list
Bluez-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-users
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2004-04-30 8:28 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-04-29 20:30 [Bluez-users] ciptool setuid Achim Bohnet
2004-04-29 22:35 ` Nicholas A. Preyss
2004-04-29 22:44 ` Marcel Holtmann
2004-04-30 8:28 ` Nicholas A. Preyss
2004-04-30 7:56 ` Marcel Holtmann
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.