[Dazuko-devel] Re: Dazuko device owned by non-root user

[John Ogness]

Hi Robert,

I am replying to the dazuko-devel mailing list as well because I think this
is information that would interest many people.

robert wrote:
> Very early on in development I decided that it was a good/safe idea to chown 
> the dazuko device to the user performing the install instead of root. This 
> solved a lot of usability issues and since the device is still chmod 600 I 
> figured there was no problem.
> 
> I'm now beginning to wonder - what in your view are the potential pitfalls of 
> this approach? Am I courting disaster for KlamAV users or is this acceptable?

This could potentially be dangerous for AV-protection. If malicious code was
executed by the user, the code could register itself with Dazuko and work
"unnoticed" by the the AV-software. (However, if the malicious code was able
to execute in the first place, then it was not detected by the AV-software
anyway.) Dazuko relies on proper system permissions to control access to Dazuko.

For a more controlled setup it would be better if the Dazuko device was
owned by a special group. The scanner itself could be setgid for this group
to be able to access Dazuko. This would have the same affect as you have now
with the added benefit that only the scanner has priveledges to communicate
with Dazuko.

# newgrp dazuko
# chown root:dazuko /dev/dazuko
# chmod 660 /dev/dazuko
# chgrp dazuko avscanner.bin
# chmod g+s avscannerbin.bin

In summary, I wouldn't go so far to say that you are courting disaster for
KlamAV users. But by using a special group with setgid binaries, you would
be creating an environment that is less prone to problems. A special group
also allows other non-priveledged Dazuko applications to run on the system
without requiring that application to run as a specific user.

John Ogness

-- 
Dazuko Maintainer