Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 20 Nov 2005 15:04:22 +0100
From:      Roland Smith <rsmith@xs4all.nl>
To:        Holger Kipp <hk@alogis.com>
Cc:        stable@freebsd.org
Subject:   Re: FBSD-6 usb/scanner-access-rights
Message-ID:  <20051120140422.GA26681@slackbox.xs4all.nl>
In-Reply-To: <20051120131624.GB35164@intserv.int1.b.intern>
References:  <20051120131624.GB35164@intserv.int1.b.intern>
next in thread | previous in thread | raw e-mail | index | archive | help 

--bg08WKrSYDhXBjb5
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Nov 20, 2005 at 02:16:24PM +0100, Holger Kipp wrote:
>=20
> Is there an easy way to name the devices a user might
> be allowed to access rw, without compromising the system?
> I don't want to give operator group to these users,
> and I don't want to blindly allow access to some=20
> da- or pass-devices where I cannot determine the order
> of numbering easily.

One thing you could do is make the groups usb and cdrom and make them
the groups owning the relevant devices, e.g. by putting the following in
/etc/devfs.rules:

add path 'da*s*' mode 0660 group usb
add path 'uscanner*' mode 0660 group usb

The ownership for the CD-ROM devices should be set in /etc/devfs.conf:

# Give members of group cdrom access to the CD/DVD-ROM and DVD+RW via the
# SCSI interface
own     xpt0    root:cdrom
perm    xpt0    0660

own     cd0     root:cdrom
perm    cd0     0660
link    cd0     cdrom
link    cd0     dvd

own     pass0   root:cdrom
perm    pass0   0660

own     cd1     root:cdrom
perm    cd1     0660

own     pass1   root:cdrom
perm    pass1   0660

The user that must be able to use the CD-ROMs and scanner must be a
member of the appropriate group.

If that is not fine-grained enough, maybe ACLs might help. See setfacl(1).

Roland
--=20
R.F.Smith (http://www.xs4all.nl/~rsmith/) Please send e-mail as plain text.
public key: http://www.xs4all.nl/~rsmith/pubkey.txt

--bg08WKrSYDhXBjb5
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQFDgIJmEnfvsMMhpyURArQCAJwLIlfNt/MqWimUt23rErGWgQfywgCdElAB
bvKD8QFJYYvK3tLuk9iElWg=
=k/zg
-----END PGP SIGNATURE-----

--bg08WKrSYDhXBjb5--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051120140422.GA26681>