Removable media security in FreeBSD
Zvezdan Petkovic
zvezdan at CS.WM.EDU
Mon Jun 9 16:52:00 PDT 2003
Brett,
I found this in the notes I wrote on configuration of my VAIO laptop to
run FreeBSD, OpenBSD, or Linux.
On Mon, Jun 09, 2003 at 04:54:27PM -0600, Brett Glass wrote:
>
> If the desktop manager can be set up to change ownerships, etc., upon login,
> it would help. One response mentioned that this could be done for xdm, but I
> don't know if kdm has the same capability.
FreeBSD section:
To use kdm instead of xdm put /usr/local/bin/kdm instead of xdm in
/etc/ttys (or rc.local if you start X that way). The configuration is
in /usr/local/share/config/kdm. I have linked Xaccess, Xservers, and
Xwilling to xdm versions of these files. I didn't change other X*
files, except adding to Xstartup/Xreset similar to Give/TakeConsole for
xdm (see OpenBSD section). Configure kdmrc according to preferences.
User pictures for the login screen in PNG format go in
/usr/local/share/apps/kdm/pics/users/.
The reference to OpenBSD section is for this piece:
Set the permission for the devices you want to use after login in
/etc/X11/xdm/GiveConsole and revert them back to root in
/etc/X11/xdm/TakeConsole. For example, to be able to play audio CDs put
in GiveConsole:
chmod o+r /dev/{,r}cd0?
and in Take console the same line with o-r option. Similar can be done
with the device ownership, mount points, and sysctl(8) option
kern.usermount if we want to allow users to mount and write the device
(e.g. floppy or CD-RW).
The brace syntax is possible above because sh in OpenBSD is a hard link
to ksh. For FreeBSD sh you'd need two lines.
What I refer to above is something like this in GiveConsole
(Xstartup for kdm):
chown $USER /dev/console
chown $USER /dev/fd0*
chown $USER /dev/fd1*
chown $USER /dev/hdc
and this in TakeConsole (Xreset for kdm)
chmod 622 /dev/console
chown root /dev/console
chown root /dev/fd0*
chown root /dev/fd1*
umount /mnt/floppy >/dev/null 2>&1 # some people forget to umount
chown root /dev/hdc
You can combine this with the correct chmod to keep them readable for
the current console user only.
> As I recall, Red Hat does something like this, but I'm not sure exactly how.
In Red Hat it can be done in the way described above or through
/etc/security/console.perms
I hope this helps for a start.
--
Zvezdan Petkovic <zvezdan at cs.wm.edu>
http://www.cs.wm.edu/~zvezdan/
More information about the freebsd-security
mailing list