Bug#31864: marked as done (Should programs that access /dev/* be SGID?)
Your message dated Thu, 14 Jan 1999 15:07:17 +0100
with message-id <19990114150716.M13679@finlandia.artis.uni-oldenburg.de>
and subject line Bug#31864: Should programs that access /dev/* be SGID?
has caused the attached bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I'm
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
(administrator, Debian bugs database)
Received: (at submit) by bugs.debian.org; 14 Jan 1999 13:20:17 +0000
Received: (qmail 57 invoked from network); 14 Jan 1999 13:20:17 -0000
Received: from yonge.cs.toronto.edu (firstname.lastname@example.org)
by master.debian.org with SMTP; 14 Jan 1999 13:20:17 -0000
Received: from dvp.cs.toronto.edu ([126.96.36.199]) by yonge.cs.toronto.edu with SMTP id <86547-24627>; Thu, 14 Jan 1999 08:20:08 -0500
Received: by dvp.cs.toronto.edu id <15580-21816>; Thu, 14 Jan 1999 08:14:31 -0500
Date: Thu, 14 Jan 1999 08:14:24 -0500
From: Hwei Sheng TEOH <email@example.com>
Subject: Should programs that access /dev/* be SGID?
Content-Type: TEXT/PLAIN; charset=US-ASCII
I noticed that a lot of packages that access devices, such as CD players,
audio players, etc., are denied permission to access the relevant devices in
/dev/ when not run as root.
Perhaps such programs should be SGID to whatever group that device is
assigned? For example, since /dev/cdrom is read-writable by group 'disk', a
program, say cdplay, can be SGID to 'disk' so that it can be executed by
normal users. (This is what I've done on my system so that I don't have to su
to root all the time, or make binaries SUID root unnecessarily).
Of course, there might be security/administrative concerns that this might
give undue device access to normal users, but since many Linux boxes (such as
mine) are used only by one person, this should at least be an option during
installation? Or at the very least documented, so that beginners who don't
know about this can find out how to do it.