My jazip package is almost ready to be uploaded (X tool to easily mount and unmount Iomega Zip and/or Jaz drives), but there's a final detail. It is suid-root and gives all users the ability to mount and umount zip and jaz devices. I explain why it is suid-root in README.Debian and also say how sysadmins can opt to control user access by creating a jazip group.
Here's the text relating to this issue in README.Debian of the unreleased package: ------------------------------------------------------------------- jazip is suid-root. Once this package is installed, _all_ users on the system will be able to mount and umount Zip and Jaz disks (Disks are mounted with the nosuid flag to increase security). Why is jazip suid-root? jazip uses SCSI_IOCTL_SEND_COMMAND ioctl to send commands out to the SCSI host. The kernel requires root privileges in order to do this (see /usr/src/linux/drivers/scsi/scsi_ioctl.c). How can I control users access to jazip? One way to do it is to change permission and group ownership of the jazip executable like so: $ ls -l /usr/bin/jazip -rwsr-xr-- 1 root jazip 147340 May 18 15:04 /usr/bin/jazip Then only members of group jazip can access the suid-root jazip binary (Use the add-group command to create the jazip group and the add-user comamnd to add users to the jazip group). ------------------------------------------------------------------- The question is: Do I leave this as it is, or do I create the jazip group in the package installation? Policy says that I should create a Dynamically allocated system group (range 100-999) using adduser --system after checking with the base system maintainer (that would be base-passwd?) and debian-devel. If I do this, I don't really need the user ID, but only the group. Can I use addgroup instead? As usual, thanks! -- Peter Galbraith <[EMAIL PROTECTED]>
