Re: access to mount filesystems
On 16 Nov 1997, Torsten Hilbrich wrote:
> Paul Miller <paul@3dillusion.3dillusion.com> writes:
>
> > I want users only in certain groups to be able to mount specific
> > filesystems.. eg
> >
> > floppy = /dev/fd0 (floppy drive)
> > cdrom = /dev/hdd (ide cdrom)
> > staff /dev/hda1 (dos)
> >
> > .... If I use the user option in fstab, all users can mount the fs.. and
> > I'd rather not make scripts because some programs use the mount command
> > for mounting...
>
> Create a group for floppy access (say 103) and dos (say 104).
>
> If you use the gid=103 (floppy) and umask=227 you can limit the
> *access* to file systems like vfat, msdos. The mounting will be
> possible but users not in floppy (or whatever you use here) will have
> no access to the mounted filesystem. I have no idea about iso9660
> with Rockridge extension (which has its own file permissions stored).
> My cdrom (/dev/scd0) has the permissions: "brw-rw---- 1 root cdrom "
> but this won't help you with IDE drives.
This is only part of the solution, as still all users can mount/unmount
partitions and floppies, like you say.
The solution to this lies in the permissions of the device itself. There
exists a group 'floppy' on every newly-installed Debian system, so I'll
use that one to show how to limit access to a floppy drive. The procedure
for other drives, audio devices and tape drives is similar. Groups named
disk, cdrom, audio and tape also already exist.
First, make every user that is allowed to access the floppy drive a member
of group 'floppy'. Let's assume we have a user called 'user1' and we want
him to be able to access the first (or only) floppy drive:
# adduser user1 floppy
Now, change the permissions of the floppy device to 'brw-rw---':
# chmod 660 /dev/fd0*
And then change the ownership of the floppy device to root.floppy:
# chown root.floppy /dev/fd0*
Of course you can use '/dev/fd[01]*' in the examples above if you have two
floppy drives. Just be careful to leave /dev/fd as it is. It has nothing
to do with floppy drives. So don't use '/dev/fd*'.
The file permissions or ownerships may already be like we want them to be.
I only can look at my own system and I can't remember what I have changed
since I first installed Debian. At the end you should have something like
this:
$ ls -l /dev/fd0*
brw-rw---- 1 root floppy 2, 0 Sep 9 15:55 /dev/fd0
brw-rw---- 1 root floppy 2, 84 Sep 9 15:55 /dev/fd0u1040
brw-rw---- 1 root floppy 2, 88 Sep 9 15:55 /dev/fd0u1120
brw-rw---- 1 root floppy 2, 28 Sep 9 15:55 /dev/fd0u1440
brw-rw---- 1 root floppy 2, 124 Sep 9 15:55 /dev/fd0u1600
brw-rw---- 1 root floppy 2, 44 Sep 9 15:55 /dev/fd0u1680
brw-rw---- 1 root floppy 2, 60 Sep 9 15:55 /dev/fd0u1722
brw-rw---- 1 root floppy 2, 76 Sep 9 15:55 /dev/fd0u1743
brw-rw---- 1 root floppy 2, 96 Sep 9 15:55 /dev/fd0u1760
brw-rw---- 1 root floppy 2, 116 Sep 9 15:55 /dev/fd0u1840
brw-rw---- 1 root floppy 2, 100 Sep 9 15:55 /dev/fd0u1920
brw-rw---- 1 root floppy 2, 12 Sep 9 15:55 /dev/fd0u360
brw-rw---- 1 root floppy 2, 16 Sep 9 15:55 /dev/fd0u720
brw-rw---- 1 root floppy 2, 120 Sep 9 15:55 /dev/fd0u800
brw-rw---- 1 root floppy 2, 52 Sep 9 15:55 /dev/fd0u820
brw-rw---- 1 root floppy 2, 68 Sep 9 15:55 /dev/fd0u830
Now, if you supply the 'user' option in /etc/fstab, only users that are a
member of the 'floppy' group can access the floppy drive.
Remco
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: