Hello debian ppl! I am a lab admin. I need to give access to the floppy (/dev/fd0), zip drive (/dev/hdd), and sound (/dev/dsp) to the person logged in at the console (x or tty). If this was my personal machine, I would just put the users in the group console. Unforfunately, this cannot be the case. I have around 6500 users, and they are all able to login to these machines remotely. While I agree it would be a good practical joke to start playing loud music in another room, it wouldn't be prudent in a lab setting. I have similiar problems with the floppy and the zip (ide floppy version).. these devices would be even worse because another user could steal code from another (NOT GOOD!).
I was wondering if anyone had any solutions for me. I have thought of two different solutions: 1) Use pam_console, compiled separately. I don't really want to do this, because debian doesn't include the file for a reason: it's got a gaping security hole, users can hold open file descriptors on devices after they're not using a console (through screen, perhaps) and that basically makes the changing users a moot point. 2) Use pam_group, and add them to a group when they're logged in on the console. This works on ttys, I've read, but not on xdm sessions. It's important that it works in X because this is what most of our lab users (and newbies to linux sometimes, yay!) use most of the time. Forcing them to login to a tty isn't really desireable. My question is: Does anyone have any other solutions? Or can one of my solutions be modified to negate my problems with the solution? Mike Janssen College of Natural Sciences Lab Administrator
