From owner-freebsd-questions  Thu Apr 22 11:31: 4 1999
Delivered-To: freebsd-questions@freebsd.org
Received: from resnet.uoregon.edu (resnet.uoregon.edu [128.223.144.32])
	by hub.freebsd.org (Postfix) with ESMTP id 006501508B
	for <freebsd-questions@FreeBSD.ORG>; Thu, 22 Apr 1999 11:30:59 -0700 (PDT)
	(envelope-from dwhite@resnet.uoregon.edu)
Received: from localhost (dwhite@localhost)
          by resnet.uoregon.edu (8.8.8/8.8.8) with ESMTP id LAA28612;
          Thu, 22 Apr 1999 11:28:28 -0700 (PDT)
          (envelope-from dwhite@resnet.uoregon.edu)
Date: Thu, 22 Apr 1999 11:28:28 -0700 (PDT)
From: Doug White <dwhite@resnet.uoregon.edu>
To: Jorge Aldana <jorge@salk.edu>
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: Users mounting CD's or Audio CD's
In-Reply-To: <Pine.BSF.3.96.990421144013.2782J-100000@davinci.salk.edu>
Message-ID: <Pine.BSF.4.03.9904221125450.7869-100000@resnet.uoregon.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Wed, 21 Apr 1999, Jorge Aldana wrote:

> Yes, but which permissions need to be set on what? I'd like to do this and
> avoid any security holes if possible. 

Allowing (regular) users to mount/umount FSs is already a security
problem; it's quite trivial to panic the kernel with a floppy drive,
remount /usr to a trojaned NFS share, or other Bad Things. There's a
reason why every other UNIX hardware vendor uses power eject floppies. :)

> I've seen code that uses setgid? or setuid? to do this but I'm not sure I
> want to go down that road if there is an offical way of doing this with
> FreeBSD. Also, others have mentioned super? but I still get permissions
> errors?

Super/sudo should allow it; I've done it myself.

> I'm currently looking through the archive mail lists but so far no
> concrete info. All I can find is use app this and that but no config
> parameters?

With sudo you can restrict the users to running only /sbin/mount and
/sbin/umount.  You can't restrict what they can do with those commands,
only the ability to execute them as root.

Doug White                               
Internet:  dwhite@resnet.uoregon.edu    | FreeBSD: The Power to Serve
http://gladstone.uoregon.edu/~dwhite    | www.freebsd.org



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message