Should I create a group jazip
My jazip package is almost ready to be uploaded (X tool to easily
mount and unmount Iomega Zip and/or Jaz drives), but there's a
final detail. It is suid-root and gives all users the ability to
mount and umount zip and jaz devices. I explain why it is
suid-root in README.Debian and also say how sysadmins can opt to
control user access by creating a jazip group.
Here's the text relating to this issue in README.Debian of the
unreleased package:
-------------------------------------------------------------------
jazip is suid-root. Once this package is installed, _all_ users on the
system will be able to mount and umount Zip and Jaz disks (Disks are
mounted with the nosuid flag to increase security).
Why is jazip suid-root?
jazip uses SCSI_IOCTL_SEND_COMMAND ioctl to send commands out to the
SCSI host. The kernel requires root privileges in order to do this
(see /usr/src/linux/drivers/scsi/scsi_ioctl.c).
How can I control users access to jazip?
One way to do it is to change permission and group ownership of the jazip
executable like so:
$ ls -l /usr/bin/jazip
-rwsr-xr-- 1 root jazip 147340 May 18 15:04 /usr/bin/jazip
Then only members of group jazip can access the suid-root jazip
binary (Use the add-group command to create the jazip group and the
add-user comamnd to add users to the jazip group).
-------------------------------------------------------------------
The question is:
Do I leave this as it is,
or do I create the jazip group in the package installation?
Policy says that I should create a Dynamically allocated system
group (range 100-999) using adduser --system after checking with
the base system maintainer (that would be base-passwd?) and
debian-devel.
If I do this, I don't really need the user ID, but only the group.
Can I use addgroup instead?
As usual, thanks!
--
Peter Galbraith <GalbraithP@dfo-mpo.gc.ca>
Reply to: