Date: Thu, 1 Feb 2001 14:28:13 -0200 From: "Mario Sergio Fujikawa Ferreira" <lioux@uol.com.br> To: freebsd-hackers@freebsd.org Cc: poool@terra.com.br, pablos@linf.unb.br, infax@bol.com.br Subject: a mtools wrapper (slight better control) Message-ID: <20010201142813.A659@Fedaykin.here>
next in thread | raw e-mail | index | archive | help
Hi, Here is my problem: I need to enable a group of workstations running XDM accesses to local disk floppies with FAT16/32 FS(es). Therefore, I considered ports/emulators/mtools. All users will have access to the floppy drives. All workstations will permit remote shell emulation (sshd,...). Thus, there can be a local and several remote users on all workstations. HOWEVER, I would like to only permit the local logged user accesses to the floppy through mtools. I need this because this lab is considered hostile environment and remote users might try to be fun destroying other ppls floppy files. Before, I get any complains I considered doing something. Here is what I though: 1) Create user floppy, group floppy 2) chown root:floppy /dev/fd0* 3) chmod 0660 /dev/fd0* 4) write a wrapper replacing /usr/local/bin/mtools mtools -> /usr/local/bin/mtools_real wrapper -> /usr/local/bin/mtools The wrapper will: 1) Sanitize the environment a la ports/x11/wrapper 2) First, check if the user trying mtools is the user locally logged through XDM. Second, I do not considered su (su from any other user) users locally logged. Third, I am still deciding the ruling about the remote logged with the same username (uid). 2nd and 3rd will depend on the ease to implement. 3) The wrapper will be installed sugid chown root:floppy /usr/local/bin/mtools chmod 2005 /usr/local/bin/mtools therefore, if (1) and (2) go well, the wrapper will run mtools_real with the appropriate privileges. The workstations will be running FreeBSD 4.x-Stable with XFree 4.0.2 from ports. The design seems fine, adding a simple, yet interesting level of control over mtools. However, how does one achieve item (2) of the wrapper design? 1) getuid to get the user running the wrapper 2) geteuid for additional checking 3) get through PAM the user who logged through XDM 4) crosscheck to see if running user match XDM user 5) check if the running process associated terminal is not a remote terminal (ssh, ...) 6) check if this a su user The list came from a mental exercise. However, I have no idea if this is feasible. Is this correct? How do I do 3-6? What could I do differently? Hope this is not out of line, or plainly in the wrong list. Regards, -- Mario S F Ferreira - UnB - Brazil - "I guess this is a signature." lioux at ( freebsd dot org | linf dot unb dot br ) flames to beloved devnull@someotherworldbeloworabove.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010201142813.A659>