Removable media security in FreeBSD

Erik AlexanderLøkken eal at mnemonic.no
Tue Jun 10 00:17:06 PDT 2003


On 10.06 01:04, Brett Glass wrote:
> At 05:21 PM 6/9/2003, Doug Barton wrote:
>   
> >On Mon, 9 Jun 2003, Brett Glass wrote:
> >
> >> Allowing the user to use sudo would effectively be giving him/her root
> >> privileges, which we explicitly don't want to do.
> >
> >No it wouldn't. You can specify the commands that you allow each user to
> >run. 
> 
> Ah, but letting the user mount and unmount things effectively lets that
> person do anything he or she wants, by switching around what's mounted
> at key mountpoints.
> 

Or you can limit which mount points the user actually has the privileges 
to change, in sudoers:

%users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom

/erik


More information about the freebsd-security mailing list