From owner-freebsd-security@FreeBSD.ORG  Tue Jun 10 07:58:18 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id BEA7E37B401; Tue, 10 Jun 2003 07:58:18 -0700 (PDT)
Received: from lariat.org (lariat.org [63.229.157.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id D625743F3F; Tue, 10 Jun 2003 07:58:17 -0700 (PDT)
	(envelope-from brett@lariat.org)
Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org
	[63.229.157.2])	by lariat.org (8.9.3/8.9.3) with ESMTP id IAA18430;
	Tue, 10 Jun 2003 08:58:12 -0600 (MDT)
X-message-flag: Warning! Use of Microsoft Outlook renders your system
	susceptible to Internet worms.
Message-Id: <4.3.2.7.2.20030610085402.02756390@localhost>
X-Sender: brett@localhost
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Tue, 10 Jun 2003 08:58:06 -0600
To: Jon DeShirley <jond@uidaho.edu>
From: Brett Glass <brett@lariat.org>
In-Reply-To: <3EE58562.1070601@uidaho.edu>
References: <4.3.2.7.2.20030610010227.02a68ed0@localhost>
 <200306092254.QAA10240@lariat.org>
 <200306092254.QAA10240@lariat.org>
 <4.3.2.7.2.20030610010227.02a68ed0@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
cc: Doug Barton <DougB@freebsd.org>
cc: security@freebsd.org
Subject: Re: Removable media security in FreeBSD
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jun 2003 14:58:19 -0000

At 01:14 AM 6/10/2003, Jon DeShirley wrote:

>Example:
>
>%users  NOPASSWD:ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
>
>What does this do?  It allows users in the group 'users' to run the explicit commands ONLY.

Ah, but the commands will be different for each user, because
one needs to change permissions and ownership to a specific
user (and, if you mount in the user's home directory, a
specific path). What's more, the command must only be
allowed to execute if the user is logged in via an X Windows
desktop manager at the console, and the effects must be
undone when s/he logs out. So, there are a lot of logistics
that may make it infeasible to use this approach.

--Brett