On Sun, Nov 20, 2005 at 02:16:24PM +0100, Holger Kipp wrote: > > Is there an easy way to name the devices a user might > be allowed to access rw, without compromising the system? > I don't want to give operator group to these users, > and I don't want to blindly allow access to some > da- or pass-devices where I cannot determine the order > of numbering easily.
One thing you could do is make the groups usb and cdrom and make them the groups owning the relevant devices, e.g. by putting the following in /etc/devfs.rules: add path 'da*s*' mode 0660 group usb add path 'uscanner*' mode 0660 group usb The ownership for the CD-ROM devices should be set in /etc/devfs.conf: # Give members of group cdrom access to the CD/DVD-ROM and DVD+RW via the # SCSI interface own xpt0 root:cdrom perm xpt0 0660 own cd0 root:cdrom perm cd0 0660 link cd0 cdrom link cd0 dvd own pass0 root:cdrom perm pass0 0660 own cd1 root:cdrom perm cd1 0660 own pass1 root:cdrom perm pass1 0660 The user that must be able to use the CD-ROMs and scanner must be a member of the appropriate group. If that is not fine-grained enough, maybe ACLs might help. See setfacl(1). Roland -- R.F.Smith (http://www.xs4all.nl/~rsmith/) Please send e-mail as plain text. public key: http://www.xs4all.nl/~rsmith/pubkey.txt
pgpx5NlZ2BPe3.pgp
Description: PGP signature