From owner-freebsd-questions@FreeBSD.ORG Mon Jan 12 13:05:55 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AA32816A4CE for ; Mon, 12 Jan 2004 13:05:55 -0800 (PST) Received: from madras.dyndns.org (dsl-137.241.240.220.dsl.comindico.com.au [220.240.241.137]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3A03943D66 for ; Mon, 12 Jan 2004 13:05:50 -0800 (PST) (envelope-from ggop@madras.dyndns.org) Received: from madras.dyndns.org (localhost [127.0.0.1]) by madras.dyndns.org (8.12.9p1/8.12.9) with ESMTP id i0CL4ML9064337; Tue, 13 Jan 2004 08:04:22 +1100 (EST) (envelope-from ggop@madras.dyndns.org) Received: (from ggop@localhost) by madras.dyndns.org (8.12.9p1/8.12.9/Submit) id i0CL4LCe064290; Tue, 13 Jan 2004 08:04:21 +1100 (EST) Date: Tue, 13 Jan 2004 08:04:18 +1100 From: Gautam Gopalakrishnan To: Eric F Crist Message-ID: <20040112210418.GA56877@madras.dyndns.org> References: <200401121441.05186.ecrist@adtechintegrated.com> <20040112205042.GA44664@madras.dyndns.org> <200401121459.47773.ecrist@adtechintegrated.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200401121459.47773.ecrist@adtechintegrated.com> User-Agent: Mutt/1.4.1i cc: freebsd-questions@freebsd.org Subject: Re: Mounting as non-root? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jan 2004 21:05:55 -0000 On Mon, Jan 12, 2004 at 02:59:38PM -0600, Eric F Crist wrote: Content-Description: signed data > On Monday 12 January 2004 02:50 pm, Gautam Gopalakrishnan wrote: > > On Mon, Jan 12, 2004 at 02:40:54PM -0600, Eric F Crist wrote: > > Content-Description: signed data > > > > > What is the most secure way to enable mounting of flash drives, cdroms, > > > and floppies? I've seen solutions that include setting setuid on mount. > > > I would rather not go this route. Is there any other easy, secure way? > > > > sudo is the easiest I've seen. I've stopped using su nowadays, for anything > > Gautam, > > I guess I should have specified a little clearer. My desktop users have an > icon on their desktops so they can access the cdrom, usb flash drives, etc. > They need the ability to just right-click an select mount or unmount. I have > temporarily setuid on mount and umount, but this allows these users to mount > and unmount core filesystems, too. I would like to get away from this. My newbie suggestion would be to make mount and umount a shell script which just execs sudo. In sudo, you could specify which users could (un)mount which devices. You would obviously need to rename mount and umount and remember to keep track when you do a buildworld... My 0.02 Gautam