Special dev access for users @ the console?
Hello debian ppl!
I am a lab admin. I need to give access to the floppy (/dev/fd0), zip
drive (/dev/hdd), and sound (/dev/dsp) to the person logged in at the
console (x or tty). If this was my personal machine, I would just
put the users in the group console. Unforfunately, this cannot be the
case. I have around 6500 users, and they are all able to login to
these machines remotely. While I agree it would be a good practical
joke to start playing loud music in another room, it wouldn't be
prudent in a lab setting. I have similiar problems with the floppy
and the zip (ide floppy version).. these devices would be even worse
because another user could steal code from another (NOT GOOD!).
I was wondering if anyone had any solutions for me. I have thought of
two different solutions:
1) Use pam_console, compiled separately. I don't really want to do
this, because debian doesn't include the file for a reason: it's got a
gaping security hole, users can hold open file descriptors on devices
after they're not using a console (through screen, perhaps) and that
basically makes the changing users a moot point.
2) Use pam_group, and add them to a group when they're logged in on
the console. This works on ttys, I've read, but not on xdm sessions.
It's important that it works in X because this is what most of our lab
users (and newbies to linux sometimes, yay!) use most of the time.
Forcing them to login to a tty isn't really desireable.
My question is: Does anyone have any other solutions? Or can one of
my solutions be modified to negate my problems with the solution?
College of Natural Sciences