Bug 24765

Description Robert Watson 2001-02-01 00:00:01 UTC

devfs provides spiffy keen automatic /dev management.  Unfortunately,
some default permissions are poor, and permit leaking of information
inappropriately.

Here are some excerpts from my dev box:

crw-r--r--  1 root  operator  117,   0 Dec 31  1969 acd0a
crw-r--r--  1 root  operator  117,   2 Dec 31  1969 acd0c
lrw-rw-rw-  1 root  wheel            5 Jan 31 18:39 audio -> audio0.0
crw-rw-rw-  1 root  wheel      30,   4 Dec 31  1969 audio0.0
crw-rw-rw-  1 root  wheel      30, 0x00010004 Dec 31  1969 audio0.1
crw-rw-rw-  1 root  wheel      21,   0 Dec 31  1969 bpsm0
lrw-rw-rw-  1 root  wheel            3 Jan 31 18:39 dsp -> dsp0.0
crw-rw-rw-  1 root  wheel      30,   3 Dec 31  1969 dsp0.0
crw-rw-rw-  1 root  wheel      30, 0x00010003 Dec 31  1969 dsp0.1
lrw-rw-rw-  1 root  wheel            4 Jan 31 18:39 dspW -> dspW0.0
crw-rw-rw-  1 root  wheel      30,   5 Dec 31  1969 dspW0.0
crw-rw-rw-  1 root  wheel      30, 0x00010005 Dec 31  1969 dspW0.1
lrw-rw-rw-  1 root  wheel            5 Jan 31 18:39 mixer -> mixer0
crw-rw-rw-  1 root  wheel      30,   0 Dec 31  1969 mixer0
crw-rw-rw-  1 root  wheel      21,   1 Dec 31  1969 psm0

Cam has offered to look into the sound device issues, but the permissions
that really worry me are the ones on the ATAPI CDROM.  Just because I
put a CD in the drive doesn't mean that every user should be able to
read from it.  Using the same settings as for the ad* devices might make
the most sense.  There may be other devices that have excessively liberal
permissions, and the kernel should be reviewed to determine that they
are correct, and documentation of devfs node creation calls should be
sure to warn device developers that they need to be careful.

Fix: 

Find device developer.  Hit device developer with corrected manpage.
Fix code.
How-To-Repeat: 
Use GENERIC after options DEVFS was enabled by default.