From owner-freebsd-security@FreeBSD.ORG Tue Jun 10 09:08:03 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 75BA237B405 for ; Tue, 10 Jun 2003 09:08:03 -0700 (PDT) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id 8956843FDD for ; Tue, 10 Jun 2003 09:07:59 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 4964 invoked from network); 10 Jun 2003 16:01:06 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 10 Jun 2003 16:01:05 -0000 Received: (qmail 81452 invoked by uid 1000); 10 Jun 2003 16:10:43 -0000 Date: Tue, 10 Jun 2003 19:10:43 +0300 From: Peter Pentchev To: Brett Glass Message-ID: <20030610161043.GG485@straylight.oblivion.bg> Mail-Followup-To: Brett Glass , Jon DeShirley , Doug Barton , security@freebsd.org References: <4.3.2.7.2.20030610010227.02a68ed0@localhost> <200306092254.QAA10240@lariat.org> <200306092254.QAA10240@lariat.org> <4.3.2.7.2.20030610010227.02a68ed0@localhost> <4.3.2.7.2.20030610085402.02756390@localhost> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Sr1nOIr3CvdE5hEN" Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20030610085402.02756390@localhost> User-Agent: Mutt/1.5.4i cc: Doug Barton cc: security@freebsd.org Subject: Re: Removable media security in FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2003 16:08:03 -0000 --Sr1nOIr3CvdE5hEN Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jun 10, 2003 at 08:58:06AM -0600, Brett Glass wrote: > At 01:14 AM 6/10/2003, Jon DeShirley wrote: >=20 > >Example: > > > >%users NOPASSWD:ALL=3D/sbin/mount /cdrom,/sbin/umount /cdrom > > > >What does this do? It allows users in the group 'users' to run the expl= icit commands ONLY. >=20 > Ah, but the commands will be different for each user, because > one needs to change permissions and ownership to a specific > user (and, if you mount in the user's home directory, a > specific path). What's more, the command must only be > allowed to execute if the user is logged in via an X Windows > desktop manager at the console, and the effects must be > undone when s/he logs out. So, there are a lot of logistics > that may make it infeasible to use this approach. So, uhm, make a script to mount/chmod/etc, and another script to unmount/unchmod/etc, and only allow sudo access to those? =20 G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence is false. --Sr1nOIr3CvdE5hEN Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE+5gMD7Ri2jRYZRVMRAtGYAJ94EbJ4DeyJAjxCb87O1SN9fkwp6QCghNza /f+FqcEgVZKS6GkIZ7blO0U= =x1iB -----END PGP SIGNATURE----- --Sr1nOIr3CvdE5hEN--