Hello, I am slightly unsatisfied with user rights management, especially with usb-devices, but also with access to cd/dvd-burners for the following reason: I'd like to be able to allow access to burners that are accessed as scsi-devices (via atapicam) for some users, but for that to work it is not sufficient to allow access via cd0/cd1, but I also have to allow the corresponding pass<x>-devices. For usb-scanner it is even worse. If I allow access to uscanner0, this does not work unless I also allow the corresponding /dev/usb<x>-device. umass<x> is also accessed as da<x>-device and also therefore needs some da-devices to be allowed rw-access for 'ordinary' users. I don't relly like to allow direct access to the related devices (da<x>, pass<y> - especially if the system is using scsi-disks). Is there an easy way to name the devices a user might be allowed to access rw, without compromising the system? I don't want to give operator group to these users, and I don't want to blindly allow access to some da- or pass-devices where I cannot determine the order of numbering easily. I hope this does not sound ignorant. Pointers to helpful information are also welcome :-) Regards, Holger Kipp
On Sun, Nov 20, 2005 at 02:16:24PM +0100, Holger Kipp wrote:> > Is there an easy way to name the devices a user might > be allowed to access rw, without compromising the system? > I don't want to give operator group to these users, > and I don't want to blindly allow access to some > da- or pass-devices where I cannot determine the order > of numbering easily.One thing you could do is make the groups usb and cdrom and make them the groups owning the relevant devices, e.g. by putting the following in /etc/devfs.rules: add path 'da*s*' mode 0660 group usb add path 'uscanner*' mode 0660 group usb The ownership for the CD-ROM devices should be set in /etc/devfs.conf: # Give members of group cdrom access to the CD/DVD-ROM and DVD+RW via the # SCSI interface own xpt0 root:cdrom perm xpt0 0660 own cd0 root:cdrom perm cd0 0660 link cd0 cdrom link cd0 dvd own pass0 root:cdrom perm pass0 0660 own cd1 root:cdrom perm cd1 0660 own pass1 root:cdrom perm pass1 0660 The user that must be able to use the CD-ROMs and scanner must be a member of the appropriate group. If that is not fine-grained enough, maybe ACLs might help. See setfacl(1). Roland -- R.F.Smith (http://www.xs4all.nl/~rsmith/) Please send e-mail as plain text. public key: http://www.xs4all.nl/~rsmith/pubkey.txt -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20051120/57ef2359/attachment.bin