protect tape access
BostonU SysMgr
root%bostonu.csnet at csnet-relay.arpa
Tue Feb 12 07:28:53 AEST 1985
I started to put one in my system, tell me if you
find one but my scheme went like this:
create a psuedo-user 'free' (or some such)
free owns the tape drive (owner/group)
make a tapealloc command called something which
is setuid. It chowns the tape drive and forks a
sub-shell. When the subshell exits it returns it
to 'free'. The reason for the subshell is that
any attempt to log out (eg. hanging up a phone)
will free up the tape drive again (you may have
to play with signals in tapealloc but it is straightforward.)
The major problem is: The subshell method could make a
few things awkward but this is not an unusual constraint
and a user could still 'hog' a tape drive although at
least now a 'ls -l /dev/?mt*' lists who is using what.
Also, you will have to chown some set of devices
(eg, /dev/mt0, /dev/rmt0, /dev/mt8 etc on 4.2bsd)
but this is still reasonable.
-Barry Shein
[oh yeah, make sure you do your setuids correctly before
forking that (setuid'd) subshell.]
More information about the Comp.unix.wizards
mailing list