Date: Mon, 9 Jun 2003 19:51:57 -0400 From: Zvezdan Petkovic <zvezdan@CS.WM.EDU> To: security@freebsd.org Subject: Re: Removable media security in FreeBSD Message-ID: <20030609235157.GB10414@dali.cs.wm.edu> In-Reply-To: <200306092254.QAA10240@lariat.org> References: <20030609140347.B13040@fubar.adept.org> <200306092254.QAA10240@lariat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Brett,
I found this in the notes I wrote on configuration of my VAIO laptop to
run FreeBSD, OpenBSD, or Linux.
On Mon, Jun 09, 2003 at 04:54:27PM -0600, Brett Glass wrote:
>
> If the desktop manager can be set up to change ownerships, etc., upon login,
> it would help. One response mentioned that this could be done for xdm, but I
> don't know if kdm has the same capability.
FreeBSD section:
To use kdm instead of xdm put /usr/local/bin/kdm instead of xdm in
/etc/ttys (or rc.local if you start X that way). The configuration is
in /usr/local/share/config/kdm. I have linked Xaccess, Xservers, and
Xwilling to xdm versions of these files. I didn't change other X*
files, except adding to Xstartup/Xreset similar to Give/TakeConsole for
xdm (see OpenBSD section). Configure kdmrc according to preferences.
User pictures for the login screen in PNG format go in
/usr/local/share/apps/kdm/pics/users/.
The reference to OpenBSD section is for this piece:
Set the permission for the devices you want to use after login in
/etc/X11/xdm/GiveConsole and revert them back to root in
/etc/X11/xdm/TakeConsole. For example, to be able to play audio CDs put
in GiveConsole:
chmod o+r /dev/{,r}cd0?
and in Take console the same line with o-r option. Similar can be done
with the device ownership, mount points, and sysctl(8) option
kern.usermount if we want to allow users to mount and write the device
(e.g. floppy or CD-RW).
The brace syntax is possible above because sh in OpenBSD is a hard link
to ksh. For FreeBSD sh you'd need two lines.
What I refer to above is something like this in GiveConsole
(Xstartup for kdm):
chown $USER /dev/console
chown $USER /dev/fd0*
chown $USER /dev/fd1*
chown $USER /dev/hdc
and this in TakeConsole (Xreset for kdm)
chmod 622 /dev/console
chown root /dev/console
chown root /dev/fd0*
chown root /dev/fd1*
umount /mnt/floppy >/dev/null 2>&1 # some people forget to umount
chown root /dev/hdc
You can combine this with the correct chmod to keep them readable for
the current console user only.
> As I recall, Red Hat does something like this, but I'm not sure exactly how.
In Red Hat it can be done in the way described above or through
/etc/security/console.perms
I hope this helps for a start.
--
Zvezdan Petkovic <zvezdan@cs.wm.edu>
http://www.cs.wm.edu/~zvezdan/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030609235157.GB10414>