Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!cis.ohio-state.edu!pacific.mps.ohio-state.edu!linac!att!news.cs.indiana.edu!kinzler@iuvax.cs.indiana.edu
From: kinzler@iuvax.cs.indiana.edu (Steve Kinzler)
Newsgroups: comp.sys.alliant
Subject: setgid kmem executables -> permission denied?
Message-ID: <1991May27.173525.2100@news.cs.indiana.edu>
Date: 27 May 91 17:35:17 GMT
Sender: root@news.cs.indiana.edu (Operator)
Organization: Computer Science, Indiana University
Lines: 16
X-Face: %Mz-_My%|8Y#+Dghgh,O<gnPu<1ia=2$9dYYQw5UBh*</C]d45}i8P[fU%?42U<P
	"!}<2XA5`}r'`V;,-~%afQm~):rIV[78Z3U>wh]Y.wswC(Sr"9$Yxo>,y2|lC]st
	$*`Oi=Xk;O-^xC=<t9^k&+(fqWY_'GELC@_/GG>eu>[1;(HMb(!:`;V$i'=z{ZjV
	x.g*4`x70T3%o3O=[3*ZxF6Z12vu`
X-Planation: X-Face can be viewed with "faces".  From the iuvax archive today.

In an attempt to improve security on our Alliant FX/8 running Concentrix
5.0.0, I wanted to make /dev/kmem and /dev/mem not world-readable.

So I made a group kmem (gid 6), found the system programs that need to
read /dev/*mem, made them all setgid kmem, and made /dev/*mem owned by
group kmem.

But, when I "chmod o-r /dev/*mem", I find that ordinary users can't run
these system programs (such as /bin/ps, /bin/mon, etc).  They get
"Permission denied".

Am I missing something fundamental here, or is this a quirk of
Concentrix?  I've done this on other varients of Unix with success.

Thanks for any help,				Steve Kinzler
						Sys Admin IU Comp Sci