On Wed, Sep 19, 2007 at 11:12:33PM +0100, Stuart Henderson wrote: > On 2007/09/19 17:46, Matthew Szudzik wrote: > > I was wondering if the participants in [email protected] would help me > > brainstorm. I want to give the operator group greater permissions than it > > currently has, so that any member of the group can perform most of the > > basic actions of a system administrator or desktop/laptop owner, without > > resorting to sudo. > > "resorting to"? but that's good, since then it gets logged...
I agree, except that there's the warning that you don't put anyone in sudo that you wouldn't trust with root access. Lets take a typical family setup. Mom is the SA who knows the root password. Dad can be operator and do stuff with sudo. However, the kids may just want to listen to CDs, watch DVDs, access their homework on a USB stick, rip a CD to MP3 and transfer it to their player or move MP3s from their player and burn them to a CD. Is it appropriate for the kids to use sudo or is there a security risk since you do not want the kids to get root. They may also need to have the modem access the internet. I don't know the details of this on OBSD yet since I use dialup via my Debian box. > > > The first thing on my wish-list is greater device access. The operator > > should have read/write access to many of the devices in /dev, especially > > USB drives, tape drives, and CD drives. > Just not e.g. hard drives. > USB, CD drives -> sounds like a job that could be done with amd(8). However, suppose you want to mount a USB/CD, check something, unmount it, and mount another? I don't see a way to tell amd to unmount before it timesout. ---- Your suggest is similar to the way devices are handled in Debian. On my Debian box, I'm in the following groups for the following reasons: dtutty: standard default login group adm: so I can read logs dialout: so I can use minicom to access the modem directly cdrom: so I can mount the cdrom, burn CDs, etc floppy: ditto for floppies audio: so I can adjust the mixer settings and hear music and movies dip: so I can pon the internet video: so I can watch movies plugdev: so I can mount and access USB sticks, Palm, etc staff: similar to OBSD's operator group. ssh: So I can limit who can run ssh. The definitive info on groups in Debian comes from the documentation with the base-passwd package in the users-and-groups.html file which I can email to you if you like: 19 KB in html, 5.3 KB in text. The document itself is under the GPLv2 but you will only be reading it not modifying it to include in OBSD :)) ------ If it weren't for the warnings about sudo and people you don't trust with root, I think that using sudo with groups is the best approach. Then you don't have to change bits of the system all over the place. It _may_ (I don't know) be easier or better to close any security concerns in the commands that would be run under sudo (such as mount). Then there could just be provided a default sudoers file that gave abilities to groups, with no default members in those groups. Just my random thoughts. I'm very new to OBSD and have been using Debian since before it trended towards clicky-pointy Lindows. :) Doug.
