Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!cornell!uw-beaver!rice!sun-spots-request
From: bzs@bu-cs.bu.edu (Barry Shein)
Newsgroups: comp.sys.sun
Subject: Re: Tape drive securiry
Keywords: SunOS
Message-ID: <30001@bu-cs.BU.EDU>
Date: 5 May 89 19:04:27 GMT
References: <8904032031.AA03691@helios>
Sender: usenet@rice.edu
Organization: Boston U. Comp. Sci.
Lines: 35
Approved: Sun-Spots@rice.edu
Original-Date: 22 Apr 89 18:18:16 GMT
X-Sun-Spots-Digest: Volume 7, Issue 268, message 5 of 21

From: root%helios.UCSC.EDU@ucscc.ucsc.edu (De Clarke Sys Mgr)
>...We have one tape drive on
>our 4/280.  This is the problem:  U**x does not provide, as far as this
>neophyte knows, an equivalent to the VMS ALLOCATE command, which allocates
>a device to a user.

A simple setuid program which manipulates ownership/permission on the tape
drive devices is probably all you need. Something like:

	create a psuedo-user "free" which owns the
	tape drive when not in use. Change permissions
	to something like 600.

	write a short program which just changes ownership
	to the user if currently owned by free or back to
	free when done.

	you might want to add a few lines to rc.local which, eg,
	rewinds and unloads any tape mounted on reboot and resets
	the ownership to user free. How good an idea this is
	might take some experience.

It really shouldn't take more than about a screenful or two of C code.
Could be done with shell scripts but setuid shell scripts are fraught with
security problems.

If you wanted to get fancier you could fork a subshell after setting the
tape ownership so any interruption (eg. hanging up) would reset the tape
drive, optional and possibly a nuisance (eg. you'd lose your history
list.)

	-Barry Shein, Software Tool & Die

There's nothing more terrifying to hardware vendors than
satisfied customers.