Alan DuBoff wrote: > On Friday 04 August 2006 10:00 am, Garrett D'Amore wrote: > >> I've been thinking, it seems to me that it is inconvenient that root >> privilege is required to look at prom properties in the Solaris device >> tree. I believe that the data located there is not security sensitive >> (at least not normally), as long as unauthorized users are not allowed >> to _modify_ those properties. >> > > Security wise I might argue. > > It gives an unsuspecting user the ability to determine which disk boots at > minimum. >
In order to do anything with this knowledge the attacker would probably need to have root or physical access to the machine. And, for the vast, vast majority of cases, just running df -k / will also report this information. (In theory / might be mounted from somewhere other than the default boot settings for the prom, but I consider that case very very rare.) I don't think there is anything in normal OBP settings and device properties where "reading" the data could be considered unsafe. I'm not sure what the interaction with Zones and sun4v is, since I've not played with either of those. > I'd like to hear from someone like Casper or Darren who work on the security > team. > Me too. -- Garrett D'Amore, Principal Software Engineer Tadpole Computer / Computing Technologies Division, General Dynamics C4 Systems http://www.tadpolecomputer.com/ Phone: 951 325-2134 Fax: 951 325-2191 _______________________________________________ opensolaris-code mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/opensolaris-code
