On 16 Nov 1997, Torsten Hilbrich wrote: > Paul Miller <[EMAIL PROTECTED]> writes: > > > I want users only in certain groups to be able to mount specific > > filesystems.. eg > > > > floppy = /dev/fd0 (floppy drive) > > cdrom = /dev/hdd (ide cdrom) > > staff /dev/hda1 (dos) > > > > .... If I use the user option in fstab, all users can mount the fs.. and > > I'd rather not make scripts because some programs use the mount command > > for mounting... > > Create a group for floppy access (say 103) and dos (say 104). > > If you use the gid=103 (floppy) and umask=227 you can limit the > *access* to file systems like vfat, msdos. The mounting will be > possible but users not in floppy (or whatever you use here) will have > no access to the mounted filesystem. I have no idea about iso9660 > with Rockridge extension (which has its own file permissions stored). > My cdrom (/dev/scd0) has the permissions: "brw-rw---- 1 root cdrom " > but this won't help you with IDE drives.
This is only part of the solution, as still all users can mount/unmount partitions and floppies, like you say. The solution to this lies in the permissions of the device itself. There exists a group 'floppy' on every newly-installed Debian system, so I'll use that one to show how to limit access to a floppy drive. The procedure for other drives, audio devices and tape drives is similar. Groups named disk, cdrom, audio and tape also already exist. First, make every user that is allowed to access the floppy drive a member of group 'floppy'. Let's assume we have a user called 'user1' and we want him to be able to access the first (or only) floppy drive: # adduser user1 floppy Now, change the permissions of the floppy device to 'brw-rw---': # chmod 660 /dev/fd0* And then change the ownership of the floppy device to root.floppy: # chown root.floppy /dev/fd0* Of course you can use '/dev/fd[01]*' in the examples above if you have two floppy drives. Just be careful to leave /dev/fd as it is. It has nothing to do with floppy drives. So don't use '/dev/fd*'. The file permissions or ownerships may already be like we want them to be. I only can look at my own system and I can't remember what I have changed since I first installed Debian. At the end you should have something like this: $ ls -l /dev/fd0* brw-rw---- 1 root floppy 2, 0 Sep 9 15:55 /dev/fd0 brw-rw---- 1 root floppy 2, 84 Sep 9 15:55 /dev/fd0u1040 brw-rw---- 1 root floppy 2, 88 Sep 9 15:55 /dev/fd0u1120 brw-rw---- 1 root floppy 2, 28 Sep 9 15:55 /dev/fd0u1440 brw-rw---- 1 root floppy 2, 124 Sep 9 15:55 /dev/fd0u1600 brw-rw---- 1 root floppy 2, 44 Sep 9 15:55 /dev/fd0u1680 brw-rw---- 1 root floppy 2, 60 Sep 9 15:55 /dev/fd0u1722 brw-rw---- 1 root floppy 2, 76 Sep 9 15:55 /dev/fd0u1743 brw-rw---- 1 root floppy 2, 96 Sep 9 15:55 /dev/fd0u1760 brw-rw---- 1 root floppy 2, 116 Sep 9 15:55 /dev/fd0u1840 brw-rw---- 1 root floppy 2, 100 Sep 9 15:55 /dev/fd0u1920 brw-rw---- 1 root floppy 2, 12 Sep 9 15:55 /dev/fd0u360 brw-rw---- 1 root floppy 2, 16 Sep 9 15:55 /dev/fd0u720 brw-rw---- 1 root floppy 2, 120 Sep 9 15:55 /dev/fd0u800 brw-rw---- 1 root floppy 2, 52 Sep 9 15:55 /dev/fd0u820 brw-rw---- 1 root floppy 2, 68 Sep 9 15:55 /dev/fd0u830 Now, if you supply the 'user' option in /etc/fstab, only users that are a member of the 'floppy' group can access the floppy drive. Remco -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
