Subject: Re: Allow non-root users to access to CD-ROM and Floppy
To: Joel Rees <>
From: Johnny Billquist <bqt@Update.UU.SE>
List: netbsd-users
Date: 09/08/2004 16:50:11
On Wed, 8 Sep 2004, Joel Rees wrote:

> Wildcard the user? Leave out the mount points in the sudoers command line? 
> You don't have to do that, I think.

A number of users was the prerequisite here, I believe. If we could skip 
that, we didn't need this discussion at all. :-)

>> As far as I can tell, this will allow people to mount/umount any volume, 
>> and, as opposed to setting the sysctl variable, this will allow them to 
>> mount at any point, which in turn, will allow them to exchange the mount 
>> binary with anything they feel like, which in turn means they can easily 
>> crack the system.
> Which is why, last I recall, the sudoers file provides ways to limit the set 
> of users allowed a particular command line and to pre-supply arguments.

I had never played with pre-supplied arguments. That is atleast a possible 
way of limiting the dangers here.

But you'd need one line per user, unless you want them to have the same 
mount points.

I'd say we're talking about a lot more more work than 
vfs.generic.usermount :-) You also need to check up so that people can't 
mount filesystems with runnable programs with suid, and so on.
All doable, I believe, but there are many traps around here.


Johnny Billquist                  || "I'm on a bus
                                   ||  on a psychedelic trip
email:           ||  Reading murder books
pdp is alive!                     ||  tryin' to stay hip" - B. Idol