Re: solaris tape dev permission stupidity

[Tobias.Kreidl () NAU EDU (Tobias J. Kreidl)]

Darren J Moffat wrote:

> Instead of guessing shall I tell you the correct fix!
>
> The correct and recommend fix is to run bsmconv to turn on device
> allocation.  This sets all of the device files for removable media devices
> such as tapes to 0000.  A user who then wants to use a tape should then:
>
>         allocate st0
>                 insert tape into drive
>         tar/ufs*/cpio/dd  whatever
>                 remove tape from drive
>         dealloate st0
>
> The same applies to audio and cd devices, though the audio devices
> are better dealt with using /etc/logindevperm.
>
>
> If you are concerned about security on Solaris you should always
> run bsmconv to turn on auditing and device allocation and run ASET
> to ensure other perms etc are sorted out.  I would recommend running
> /usr/aset/aset -l high -p

Another alternative for those who want to severely restrict
access to *any* tape drive is to chmod the directory
of the device, and chgrp it accordingly to permit access to only
a restricted number of users.  As an example, a startup script
in /etc/init.d might contain the following to deal with a DLT:


if [ -d /devices/pci@6,4000/pci@4/SUNW,isptwo@4 ]
  then
# tape drive (DLT), CPI slot #1, unit 4
  /usr/bin/chmod 750 /devices/pci@6,4000/pci@4/SUNW,isptwo@4
  /usr/bin/chgrp tapedev /devices/pci@6,4000/pci@4/SUNW,isptwo@4
fi


and just add your list of allowed uses to the "tapedev" in
the/etc/group file.  Of course, one could still use the allocate/deallocate
functions from the bmsconv/C2 package in addition to this.

-- Tobias J. Kreidl
   Northern Arizona University / Information technology Services