[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] uses of group disk



Dear David,

What you suggest is tempting, but actually a blind alley. If you put the 
operators in group disk they will have enormous power to do damage (e.g. 
they can write to raw disc partitions) but they still won't have the power 
they need to read all files to back them up.

I think it is better to design your backup scripts to run as root, and use 
sudo to restrict access to those scripts. It is certainly simpler, and 
complexity is the enemy of security.

Bob

 On Wed, 1 Feb 2006, David Bear wrote:

> I would like to give a select number of 'backup operators' -- those
> who can mount volumes (smb shares) and those who may write to the tape
> device.
> 
> Since the tape device is group owned by disk, I'm assuming the proper
> way to give these backup operators permissions to write to it is by
> putting them in group disk.
> 
> What about smbmounting? Should I added group disk to sudoers and give
> that group permissions to run smbmount?
> 

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here