Bowen, Clint wrote: > What is the rationale for requiring root for dmidecode? In order to find DMI tables dmidecode needs to access physical memory (through /dev/mem) On Mac OSX it would be possible to retrieve SMBIOS through ioreg but my patch to interpret data from ioreg was declined. > Assuming this is a technical requirement, has the suid bit been considered? > I don't see anything in the output that I don't want an upriv user to access. > If there is, might this be mitigated by creating a group 'dmidecode', which > with group membership would allow unpriv access? I ask since we have an > inventory tool that wants the system serial number, for example, that doesn't > seem to exist anywhere else. > > Each suid binary is a potential security hole. In most cases unprivilegied user doesn't need to know on which system he is and so dmidecode is useless for him. Security considerations: 1) Some BIOSes export encryption key from token through SMBIOS 2) if SMBIOS anchor is faulty dmidecode may dump a random chunk of memory which is a security hole
In light of this I would say that setuid'ing dmidecode is a bad idea but I acknowledge that non-root dmidecode may be useful. For these cases the right tool is sudo. E.g. in your sudoers file: %dmidecode ALL=(root) NOPASSWD: /sbin/dmidecode "" > -- > Clint Bowen - RHCE > Linux Team Lead > Platform Services > Information Technology Services > State of North Carolina > 919.754.6278 > > ############################NOTICE###################################### > E-mail correspondence to and from this address may be subject to the > North Carolina Public Records Law and may be disclosed to third parties > by an authorized state official. > ######################################################################## > > E-mail correspondence to and from this address may be subject to the North > Carolina Public Records Law and may be disclosed to third parties by an > authorized state official. > > > _______________________________________________ > http://lists.nongnu.org/mailman/listinfo/dmidecode-devel > > -- Regards Vladimir 'phcoder' Serbinenko Personal git repository: http://repo.or.cz/w/grub2/phcoder.git _______________________________________________ http://lists.nongnu.org/mailman/listinfo/dmidecode-devel
