From owner-freebsd-questions@FreeBSD.ORG Mon Apr 25 04:06:50 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9A41A16A4CE for ; Mon, 25 Apr 2005 04:06:50 +0000 (GMT) Received: from proxy.ddcom.co.jp (proxy.ddcom.co.jp [211.121.191.163]) by mx1.FreeBSD.org (Postfix) with SMTP id 76D9843D53 for ; Mon, 25 Apr 2005 04:06:49 +0000 (GMT) (envelope-from rees@ddcom.co.jp) Received: (qmail 17451 invoked by alias); 25 Apr 2005 04:18:47 -0000 Received: from unknown (HELO matthew) (10.10.10.11) by mail.ddcom.local with SMTP; 25 Apr 2005 04:18:47 -0000 Date: Mon, 25 Apr 2005 13:06:49 +0900 From: Joel To: freebsd-questions@freebsd.org In-Reply-To: <200504250419.02530.list-freebsd-2004@morbius.sent.com> References: <44ekczzz4t.fsf@be-well.ilk.org> <200504250419.02530.list-freebsd-2004@morbius.sent.com> Message-Id: <20050425122640.45C8.REES@ddcom.co.jp> MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-2022-JP" Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver. 2.00.06 Subject: Re: Allowing a group to use fstab mount-points X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Apr 2005 04:06:50 -0000 > > > I have fstab entries for several devices that aren't mounted at boot, but > > > when mounting as an ordinary user, I can only mount a device on a > > > mount-point that I own. > > > > > > Is it possible to relax this so that any user in the operator group can > > > make use of the same fstab entries? I know I could make separate entries > > > for each user, but it's a bit cumbersome. Have you looked at sudo? (The way I'm recommending sudo for everything, you'd think it was peanut butter.) > > Most people don't really want a user to be able to mount devices any > > time, but only when that user is on the console. fbtab(5) and > > equivalent functionality under X take care of that quite well. > > That's interesting, I wasn't aware of fbtab before. However it doesn't really > help. As I read it, it only allows the ownership of devices to be changed, > not mount-points. ? Mount points are normal directories. Not sure what you're aiming at there. > On a desktop machine, without remote access, there isn't really any > significant problem with users mounting dvds etc. Actually, I normally mount > devices as root, it's just that when other people (who are definitely never > going to be in my wheel group) borrow my computer they make patronizing > comments if this kind of thing isn't straightforward, and clean. Well, we don't want to be rude about the people who borrow your computer, but if they make patronizing remarks about something like this, I'm not sure I'd let them borrow my computer. ;) > Basically, what I'd like is for users to be able to mount certain devices from > KDE, without going through hoops, or using strange mount-points. FWIW, I've done this with sudo, though I don't think if I've done it with sudo on freebsd. But you ought to be able to set up sudo to allow the user you loan them mount whatever. Just be careful. If they are making patronizing remarks, you definitely don't want them being able to get root. ;-|: Rough idea -- Set up a new user, maybe named "mounter", member of operator, no login shell, password blocked, etc. Allocate a /home/mounter for the account, just in case, and set PATH to empty. Put as many bumps in the road as you have time. If the account you loan out to these guys is "loaner", you can put an entry in sudoers that will allow the "loaner" account to do one command, and one command only, to mount the CD. (I assume it's the CD.) Be careful how you specify the parameters, so you don't open a hole for them. I think mounting is one of the examples for sudoers. If the command you set up in sudoers is something like mount /mnt/cdrom then they will type sudo -u mounter mount /mnt/cdrom I'd refrain from giving them NOPASSWD on it, just because they're obnoxious. But if you've been logging in for them so they won't have a password, you'll either have to let them have the password to the loaner account after all so they can enter it after the command, or you'll have to give them the NOPASSWD option in sudoers . I'd give you a guess of what the line for sudoers would look like, but, as I say, mounting is one of the examples you'll see when you man sudoers. HTH -- Joel Rees digitcom, inc. 株式会社デジコム Kobe, Japan +81-78-672-8800 ** **