Subject: Re: Allow non-root users to access to CD-ROM and Floppy
To: Joel Rees <email@example.com>
From: Johnny Billquist <bqt@Update.UU.SE>
Date: 09/08/2004 16:50:11
On Wed, 8 Sep 2004, Joel Rees wrote:
> Wildcard the user? Leave out the mount points in the sudoers command line?
> You don't have to do that, I think.
A number of users was the prerequisite here, I believe. If we could skip
that, we didn't need this discussion at all. :-)
>> As far as I can tell, this will allow people to mount/umount any volume,
>> and, as opposed to setting the sysctl variable, this will allow them to
>> mount at any point, which in turn, will allow them to exchange the mount
>> binary with anything they feel like, which in turn means they can easily
>> crack the system.
> Which is why, last I recall, the sudoers file provides ways to limit the set
> of users allowed a particular command line and to pre-supply arguments.
I had never played with pre-supplied arguments. That is atleast a possible
way of limiting the dangers here.
But you'd need one line per user, unless you want them to have the same
I'd say we're talking about a lot more more work than
vfs.generic.usermount :-) You also need to check up so that people can't
mount filesystems with runnable programs with suid, and so on.
All doable, I believe, but there are many traps around here.
Johnny Billquist || "I'm on a bus
|| on a psychedelic trip
email: firstname.lastname@example.org || Reading murder books
pdp is alive! || tryin' to stay hip" - B. Idol