>>>>> "Darren" == Darren J Moffat <Darren> writes:
Mike> The idea is to give users Mike> mount/unmount privileges by putting this entry in /etc/user_attr: Mike> <user>::::type=normal;defaultpriv=basic,sys_mount [...] Darren> It sounds reasonable to me given the other protections you have Darren> in place. Thanks for the quick response. Someone pointed out to me off-list that the dev team has been working on a new plugin mechanism for sshd, so that it can get authorization information directly from the Auth app. (Right now we have a cron job that pulls the user database and updates each user's ssh keys.) There's a concern about the additional complexity that the privilege-based approach will introduce to the plugin. One of the other workarounds that I've discussed with the Ops team is installing some sort of setuid unmount helper on the server. This could be something as simple as a setuid copy of /sbin/umount, or it could be a more sophisticated wrapper that (for example) only allows unmounts from SCM users' directories. Do you have any thoughts on the tradeoffs between the 2 approaches (privileges-based versus setuid-based)? thanks, mike _______________________________________________ tools-discuss mailing list tools-discuss@opensolaris.org
