Bug#31864: Should programs that access /dev/* be SGID?

[Joseph Carter <knghtbrd@debian.org>]

On Thu, Jan 14, 1999 at 08:14:24AM -0500, Hwei Sheng TEOH wrote:
> I noticed that a lot of packages that access devices, such as CD players,
> audio players, etc., are denied permission to access the relevant devices in
> /dev/ when not run as root.
> 
> Perhaps such programs should be SGID to whatever group that device is
> assigned? For example, since /dev/cdrom is read-writable by group 'disk', a
> program, say cdplay, can be SGID to 'disk' so that it can be executed by
> normal users. (This is what I've done on my system so that I don't have to su
> to root all the time, or make binaries SUID root unnecessarily).

Program postinsts should do this if at all.  Please file specific bugs in
those cases.

Perhaps you should consider what I have done.  (well, what I did when I
had a cdrom, I no longer do..) I figure I already have group audio,
right?  I changed the device group to audio and then I take console users
such as knghtbrd and as root simply do "adduser knghtbrd audio". 
Suddenly knghtbrd has authorization to play sounds and in this case use
the cdrom.  This is the right solution.



> Of course, there might be security/administrative concerns that this might
> give undue device access to normal users, but since many Linux boxes (such as
> mine) are used only by one person, this should at least be an option during
> installation? Or at the very least documented, so that beginners who don't
> know about this can find out how to do it.

The security concerns reflect why this bug should be closed.  =>  Just
because security on most boxen can be lax does not mean that security
SHOULD be lax.

-- 
"Lennier, get us the hell out of here!"
"initiating 'getting us the hell out of here' maneuver."
                               -- Babylon 5