Darren J Moffat wrote: > > Instead of guessing shall I tell you the correct fix! > > The correct and recommend fix is to run bsmconv to turn on device > allocation. This sets all of the device files for removable media devices > such as tapes to 0000. A user who then wants to use a tape should then: > > allocate st0 > insert tape into drive > tar/ufs*/cpio/dd whatever > remove tape from drive > dealloate st0 > > The same applies to audio and cd devices, though the audio devices > are better dealt with using /etc/logindevperm. > > > If you are concerned about security on Solaris you should always > run bsmconv to turn on auditing and device allocation and run ASET > to ensure other perms etc are sorted out. I would recommend running > /usr/aset/aset -l high -p > Another alternative for those who want to severely restrict access to *any* tape drive is to chmod the directory of the device, and chgrp it accordingly to permit access to only a restricted number of users. As an example, a startup script in /etc/init.d might contain the following to deal with a DLT: if [ -d /devices/pci@6,4000/pci@4/SUNW,isptwo@4 ] then # tape drive (DLT), CPI slot #1, unit 4 /usr/bin/chmod 750 /devices/pci@6,4000/pci@4/SUNW,isptwo@4 /usr/bin/chgrp tapedev /devices/pci@6,4000/pci@4/SUNW,isptwo@4 fi and just add your list of allowed uses to the "tapedev" in the/etc/group file. Of course, one could still use the allocate/deallocate functions from the bmsconv/C2 package in addition to this. -- Tobias J. Kreidl Northern Arizona University / Information technology Services
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:20:57 PDT