Remco Blaakmeer <[EMAIL PROTECTED]> writes:
> But what I want is this:
>
> 1 root can mount anything
> 2 users in group floppy can mount the floppy drive
> 3 users not in group floppy can not mount the floppy drive
>
> Of course, 1 is always true. But I can't get 2 and 3 at the same time.
> Either mount is setuid and then all users can mount the floppy, or it is
> not setuid and then only root can mount the floppy.
I use "super" for something similar for my ZIP-drive.
In /etc/super.tab :
zon /usr/local/bin/zon.sh :zipmount uid=root
zoff /usr/local/bin/zoff.sh :zipmount uid=root
This will allow users in group zipmount to use these commands. I didn't
put anyone in this group, but added zipmount to the "CONSOLE_GROUPS" line
in /etc/login.defs. So anyone is able to mount the ZIP, if he logs on from
the console.
*** Security warning ***
And I wouldn't use the floppy group either. If you have
brw-rw---- 1 root floppy 2, 0 Apr 14 1997 /dev/fd0
everyone in group floppy would have access to rawdevice and could read the
floppy without mounting it.
I saw a posting with the advice to chmod 666 the device. DON'T DO
THIS. This will allow anyone (even remoteusers) to cat the contents of the
device. Just try cat /dev/fd0.
This is important, if the user at the console doesn't like it, if others
can read the contents of his floppy.
Now back to my solution:
bash-2.01$ cat /usr/local/bin/zon.sh
#!/bin/sh
modprobe ppa 2>/dev/null
uid=`grep $ORIG_USER /etc/passwd|perl -e '$_=(split /:/,<>)[2];print'`
mount -t vfat -o rw,nodev,noexec,uid=$uid,umask=077,quiet /dev/sda4 /zip &&
echo ZIP gemountet unter /zip
bash-2.01$ cat /usr/local/bin/zoff.sh
#!/bin/sh
umount /zip && echo ZIP unmounted
rmmod ppa 2>/dev/null
Then do
ln -s /usr/bin/super /usr/local/bin/zon
ln -s /usr/bin/super /usr/local/bin/zon
and you are done.
Summery:
With this method, anyone who logs on to the console (including xdm login
from localhost) can mount the ZIP. Only he will be able to access the
filesystem, raw access to the device is not possible.
Use zon to mount the ZIP and zoff to unmount it.
Sounds like a perfect solution, doesn't it :-)
Ciao,
Martin
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
[EMAIL PROTECTED] .
Trouble? e-mail to [EMAIL PROTECTED] .
