Removable media security in FreeBSD
Jon DeShirley
jond at uidaho.edu
Tue Jun 10 14:32:15 PDT 2003
On Tue, 9 Jun 2003 Brett Glass wrote:
> At 05:21 PM 6/9/2003, Doug Barton wrote:
>
>>On Mon, 9 Jun 2003, Brett Glass wrote:
>>
>>>Allowing the user to use sudo would effectively be giving him/her root
>>>privileges, which we explicitly don't want to do.
>>
>>No it wouldn't. You can specify the commands that you allow each user to
>>run.
>
> Ah, but letting the user mount and unmount things effectively lets that
> person do anything he or she wants, by switching around what's mounted
> at key mountpoints.
Example:
%users NOPASSWD:ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
What does this do? It allows users in the group 'users' to run the
explicit commands ONLY.
Now, unless you give them sudo access to vi /etc/fstab or something,
there's no way '/sbin/mount /cdrom' is going to change behavior.
btw, I would suggest reading the sudoers manual:
http://www.courtesan.com/sudo/man/sudoers.html
Cheers,
--jon
More information about the freebsd-security
mailing list