Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!seismo!gatech!rayssd!dhb
From: dhb@rayssd.RAY.COM (David H. Brierley)
Newsgroups: comp.unix.wizards
Subject: Re: UNIX classified operation - (nf)
Message-ID: <1110@rayssd.RAY.COM>
Date: Fri, 3-Jul-87 22:39:52 EDT
Article-I.D.: rayssd.1110
Posted: Fri Jul  3 22:39:52 1987
Date-Received: Sat, 4-Jul-87 15:34:24 EDT
References: <175@uw-apl.UUCP> <8300007@iaoobelix.UUCP>
Sender: dhb@rayssd.RAY.COM (David H. Brierley @ Raytheon Company, Portsmouth RI)
Reply-To: dhb@rayssd.RAY.COM (David H. Brierley)
Organization: Raytheon Company, Portsmouth RI
Lines: 29

In article <8300007@iaoobelix.UUCP> woerz@iaoobelix.UUCP writes:
>
>It's even more complicated in UNIX. Tar opens the file and you get a
>log. But consider dump. It opens the raw device of the disk and
>copies the raw block to tape or to another location. I think it is
>nearly impossible to protect someone from reading the raw disk under
>UNIX. You can write a log entry from dump, but I think you cannot
>protect against someone reading the raw disk with his own programs.
>

Protecting normal users from reading the raw disk is not only easy,
it is essential to system security.  All block and character device
entries for the various disk drives (i.e. /dev/rhp0a, /dev/rra0a)
should be made mode 600 and owned by either root or some other "secure"
account.  If the raw disk is readable by general users it effectively
overrides any file permissions that other users might set up.

I strongly suggest that any system administrators who are not sure
about this check the device entries to make sure the permissions are
set correctly.
-- 
	David H. Brierley
	Raytheon Submarine Signal Division
	1847 West Main Road
	Portsmouth, RI 02871

Phone:		(401)-847-8000 x4073
Internet:	dhb@rayssd.ray.com
Uucp:		{cbosgd, gatech, linus, mirror, necntc, uiucdcs} !rayssd!dhb