| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 29 Sep 2010 09:53:30 -0500 From: Olof Johansson <olof@...om.net> To: Jean Delvare <khali@...ux-fr.org> Cc: Andrew Morton <akpm@...ux-foundation.org>, linux-kernel@...r.kernel.org, Tejun Heo <tj@...nel.org> Subject: Re: [PATCH] dmi: export dmi data through debugfs On Wed, Sep 29, 2010 at 09:34:03AM +0200, Jean Delvare wrote: > Hi Olaf, > > On Tue, 28 Sep 2010 16:12:46 -0500, Olof Johansson wrote: > > I've found this quite useful since it allows dmidecode to run without > > root privileges using --from-dump to read this file instead > > This is a bad idea. We do NOT want every user to have access to all the > DMI information. There is sensitive information in there (serial > numbers and UUIDs, and possibly even more sensitive data in > OEM-specific records.) If you look in /sys/class/dmi/id/, you'll see > that files board_serial, chassis_serial, product_serial and > product_uuid are only readable by root exactly for this reason. > So this is a NACK from me, sorry. So how about a change to mode 0400 on the debugfs file then? It's still better than having a userspace tool dig around /dev/mem for the information. -Olof -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists