Date: Tue, 10 Jun 2003 18:28:44 -0400 (EDT) From: Adrian Filipi-Martin <adrian+freebsd-security@ubergeeks.com> To: zk <zk@wspim.edu.pl> Cc: security@freebsd.org Subject: Re: Removable media security in FreeBSD Message-ID: <20030609191725.E77012@lorax.ubergeeks.com> In-Reply-To: <20030608080429.GA234@hhos.serious.ld> References: <200306080728.BAA24342@lariat.org> <20030608080429.GA234@hhos.serious.ld>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 8 Jun 2003, zk wrote: > On Sun, Jun 08, 2003 at 01:28:50AM -0600, Brett Glass wrote: > > since this would allow anyone to write someone else's removable media. Is > > there a standard, SECURE way of allowing an unprivileged user at the console > > to get at removable media that s/he has inserted in the machine? > > > Create group floppy, chown 0:floopy /dev/floppy*, chmod g+rw /dev/fd0* > and add user to group floppy. > And vfs.usermount=1 > > zk I'd also recommend this approach, but with one caveat. The users will likely have trouble with newly formatted media. newfs always creates a filesystem with root:wheel as the owner. I submitted a patch (bin/34146) to make the default ownership match the user running the command if it was not being run as root. You might want to check it out. We've been running unix application developer desktops happily this way for a couple of years now. We've been using the Give/TakeConsole scripts under wdm. I used to use the sudo based approaches in the past under HP-UX, but usermounts under *BSD are just simply cleaner and more flexible. cheers, Adrian -- [ adrian@ubergeeks.com ]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030609191725.E77012>