Subject: Re: Unprivileged access to devices
To: Wojciech Puchar <wojtek@tensor.3miasto.net>
From: Steven M. Bellovin <smb@research.att.com>
List: netbsd-users
Date: 01/02/2004 08:36:02
In message <Pine.NEB.4.58.0401021104330.23244@chylonia.3miasto.net>, Wojciech P
uchar writes:
>> of devices such as the cd-rom or dvd drive?
>>
>> The standard install (1.6Zx, current) produces devices files owned by
>> root and only readable by root and the group "operator". This is pretty
>> restrictive and I understand that it's a reasonable default in general.
>>
>> However, things like cd-roms and dvds or any other removable media are
>> desirable to most users - they want to play a cd or dvd, or perhaps burn
>> a cd.
>>
>
>use vfs.generic.usermount=1 in sysctl
>
>and set user/group privilege to directory to which cd/dvd have to be
>mounted like /cdrom
>
>then put in /etc/fstab something like
>
>/dev/cd0a /cdrom cd9660 ro,noauto 0 0
>
There's an important warning here: you probably want to specify
'nosuid,nodev' as well, unless you trust all of your users. (I confess
that I'm not sure if it's even possible to have setuid or device files
on ISO 9660 CDs. But it is possible on ffs-formatted floppies, vnd
images, and the like.)
Regardless, a better solution might be to use amd. I do that even on
machines where I'm the sole user -- it's just an easier way to operate.
--Steve Bellovin, http://www.research.att.com/~smb