> On OpenBSD, members of the operator group are allowed to > reboot the system, change tapes ... normal things that > someone trusted to operate the system would be allowed to do. > Letting them write to CD/DVD is very low on the scale of bad > things they could already do, like boot into single user > mode and mess with all kinds of stuff, and so does not > further compromise the security of the system. There is > virtually no way anyone could escalate their privileges by > simply allowing them to write to a CD device.
Sure there is. Write new firmware to the device that lets you lock up the bus or tunnel SCSI commands to another device. You could password-protect all other devices on the bus, format disks with non-standard sector sizes, eject boot media, and so on. People have been hacking firmware, mostly to remove annoying spped restrictions and DVD restrictions, so don't for a moment think that obscurity will save you. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
