Mailinglist Archive: opensuse-security (81 mails)

< Previous Next >
Re: [suse-security] uses of group disk
  • From: Bob Vickers <bobv@xxxxxxxxxxxxx>
  • Date: Thu, 2 Feb 2006 09:35:04 +0000 (GMT)
  • Message-id: <Pine.LNX.4.61.0602020926330.19926@xxxxxxxxxxxxxxxxxxxxx>
Dear David,

What you suggest is tempting, but actually a blind alley. If you put the
operators in group disk they will have enormous power to do damage (e.g.
they can write to raw disc partitions) but they still won't have the power
they need to read all files to back them up.

I think it is better to design your backup scripts to run as root, and use
sudo to restrict access to those scripts. It is certainly simpler, and
complexity is the enemy of security.

Bob

On Wed, 1 Feb 2006, David Bear wrote:

> I would like to give a select number of 'backup operators' -- those
> who can mount volumes (smb shares) and those who may write to the tape
> device.
>
> Since the tape device is group owned by disk, I'm assuming the proper
> way to give these backup operators permissions to write to it is by
> putting them in group disk.
>
> What about smbmounting? Should I added group disk to sudoers and give
> that group permissions to run smbmount?
>

< Previous Next >
List Navigation
This Thread
References