Special dev access for users @ the console?
Hello debian ppl!
I am a lab admin. I need to give access to the floppy (/dev/fd0), zip
drive (/dev/hdd), and sound (/dev/dsp) to the person logged in at the
console (x or tty). If this was my personal machine, I would just
put the users in the group console. Unforfunately, this cannot be the
case. I have around 6500 users, and they are all able to login to
these machines remotely. While I agree it would be a good practical
joke to start playing loud music in another room, it wouldn't be
prudent in a lab setting. I have similiar problems with the floppy
and the zip (ide floppy version).. these devices would be even worse
because another user could steal code from another (NOT GOOD!).
I was wondering if anyone had any solutions for me. I have thought of
two different solutions:
1) Use pam_console, compiled separately. I don't really want to do
this, because debian doesn't include the file for a reason: it's got a
gaping security hole, users can hold open file descriptors on devices
after they're not using a console (through screen, perhaps) and that
basically makes the changing users a moot point.
2) Use pam_group, and add them to a group when they're logged in on
the console. This works on ttys, I've read, but not on xdm sessions.
It's important that it works in X because this is what most of our lab
users (and newbies to linux sometimes, yay!) use most of the time.
Forcing them to login to a tty isn't really desireable.
My question is: Does anyone have any other solutions? Or can one of
my solutions be modified to negate my problems with the solution?
Mike Janssen
College of Natural Sciences
Lab Administrator
Reply to: