FBSD-6 usb/scanner-access-rights

Sun Nov 20 14:05:15 GMT 2005

On Sun, Nov 20, 2005 at 02:16:24PM +0100, Holger Kipp wrote:
> 
> Is there an easy way to name the devices a user might
> be allowed to access rw, without compromising the system?
> I don't want to give operator group to these users,
> and I don't want to blindly allow access to some 
> da- or pass-devices where I cannot determine the order
> of numbering easily.

One thing you could do is make the groups usb and cdrom and make them
the groups owning the relevant devices, e.g. by putting the following in
/etc/devfs.rules:

add path 'da*s*' mode 0660 group usb
add path 'uscanner*' mode 0660 group usb

The ownership for the CD-ROM devices should be set in /etc/devfs.conf:

# Give members of group cdrom access to the CD/DVD-ROM and DVD+RW via the
# SCSI interface
own     xpt0    root:cdrom
perm    xpt0    0660

own     cd0     root:cdrom
perm    cd0     0660
link    cd0     cdrom
link    cd0     dvd

own     pass0   root:cdrom
perm    pass0   0660

own     cd1     root:cdrom
perm    cd1     0660

own     pass1   root:cdrom
perm    pass1   0660

The user that must be able to use the CD-ROMs and scanner must be a
member of the appropriate group.

If that is not fine-grained enough, maybe ACLs might help. See setfacl(1).

Roland
-- 
R.F.Smith (http://www.xs4all.nl/~rsmith/) Please send e-mail as plain text.
public key: http://www.xs4all.nl/~rsmith/pubkey.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20051120/57ef2359/attachment.bin