Removable media security in FreeBSD
Adrian Filipi-Martin
adrian+freebsd-security at ubergeeks.com
Tue Jun 10 15:28:49 PDT 2003
On Sun, 8 Jun 2003, zk wrote:
> On Sun, Jun 08, 2003 at 01:28:50AM -0600, Brett Glass wrote:
> > since this would allow anyone to write someone else's removable media. Is
> > there a standard, SECURE way of allowing an unprivileged user at the console
> > to get at removable media that s/he has inserted in the machine?
> >
> Create group floppy, chown 0:floopy /dev/floppy*, chmod g+rw /dev/fd0*
> and add user to group floppy.
> And vfs.usermount=1
>
> zk
I'd also recommend this approach, but with one caveat. The users
will likely have trouble with newly formatted media. newfs always creates
a filesystem with root:wheel as the owner.
I submitted a patch (bin/34146) to make the default ownership match
the user running the command if it was not being run as root. You might
want to check it out.
We've been running unix application developer desktops happily this
way for a couple of years now. We've been using the Give/TakeConsole
scripts under wdm.
I used to use the sudo based approaches in the past under HP-UX,
but usermounts under *BSD are just simply cleaner and more flexible.
cheers,
Adrian
--
[ adrian at ubergeeks.com ]
More information about the freebsd-security
mailing list