> Given the security model inherited from 4.4BSD, it's possible to use
> ZIP drives and the like without writing any setuid programs.  All the
> user needs is write permission to the device, and he/she can mount it
> on a directory he/she owns.  If you're at security level 1 or higher,
> another user with write permission to the device won't be able to
> modify the mounted file system.
> 
> Of course, there's a window between inserting the disc and mounting
> it, and again between unmounting and ejecting it, where someone else
> could modify the disc.  I'm open to suggestions on how to close
> this...

This is a common problem in the unix world. It is impossible to protect
a tape between the time one inserts it into a drive and starts a program.
Same problem between two programs which need the tape. This can be very
awkward if anybody else writes onto your tape during this time. Sometimes
the way to the next tape drive is very long and one has to run fast
enough. ==:-|

There is a nice solution in VMS. One can allocate the device before
one mounts the medium. The device will be allocated for only one
process (VMS does not create a new process for each command!). Other
processes can not access this device then. If the device is allocated
one can insert the tape (or a disk) and mount it (yes, one can mount
tapes and one can use an ANSI file structure including file names etc.).
The next step is to start the program (which will be started in the same
process). Later, one can dismount the tape, mount another one etc..
At the end one has to deallocate the device. This will be also done if
the process stops. That does also work with batch jobs. One allocates
the device interactive, inserts the tape, starts the batch jobs, which
will retry to allocate/mount the device until it is deallocated. BTW,
one can also use operator support, if one has an operator. :-)

May be something like that should be implemented based on process sessions.

Just an idea...

Henry