On Wed, Sep 19, 2007 at 11:12:33PM +0100, Stuart Henderson wrote:
quoted text
> On 2007/09/19 17:46, Matthew Szudzik wrote:
> > I was wondering if the participants in misc@openbsd.org would help me 
> > brainstorm.  I want to give the operator group greater permissions than it 
> > currently has, so that any member of the group can perform most of the 
> > basic actions of a system administrator or desktop/laptop owner, without 
> > resorting to sudo.
> 
> "resorting to"? but that's good, since then it gets logged...

I agree, except that there's the warning that you don't put anyone in
sudo that you wouldn't trust with root access.  Lets take a typical
family setup.  Mom is the SA who knows the root password.  Dad can be
operator and do stuff with sudo.  However, the kids may just want to
listen to CDs, watch DVDs, access their homework on a USB stick, rip a
CD to MP3 and transfer it to their player or move MP3s from their player
and burn them to a CD.  Is it appropriate for the kids to use sudo or is
there a security risk since you do not want the kids to get root.

They may also need to have the modem access the internet.  I don't know
the details of this on OBSD yet since I use dialup via my Debian box.

quoted text
> 
> > The first thing on my wish-list is greater device access.  The operator 
> > should have read/write access to many of the devices in /dev, especially 
> > USB drives, tape drives, and CD drives.
> 

Just not e.g. hard drives.


quoted text
> USB, CD drives -> sounds like a job that could be done with amd(8).

However, suppose you want to mount a USB/CD, check something, unmount
it, and mount another?  I don't see a way to tell amd to unmount before
it timesout.

----

Your suggest is similar to the way devices are handled in Debian.  On my
Debian box, I'm in the following groups for the following reasons:

dtutty: standard default login group
adm: so I can read logs
dialout: so I can use minicom to access the modem directly
cdrom: so I can mount the cdrom, burn CDs, etc
floppy: ditto for floppies
audio: so I can adjust the mixer settings and hear music and movies
dip: so I can pon the internet
video: so I can watch movies
plugdev: so I can mount and access USB sticks, Palm, etc
staff: similar to OBSD's operator group.
ssh: So I can limit who can run ssh.

The definitive info on groups in Debian comes from the documentation
with the base-passwd package in the users-and-groups.html file which I
can email to you if you like: 19 KB in html, 5.3 KB in text.  The
document itself is under the GPLv2 but you will only be reading it not
modifying it to include in OBSD :))


------

If it weren't for the warnings about sudo and people you don't trust
with root, I think that using sudo with groups is the best approach.
Then you don't have to change bits of the system all over the place.  It
_may_ (I don't know) be easier or better to close any security concerns
in the commands that would be run under sudo (such as mount).  Then
there could just be provided a default sudoers file that gave abilities
to groups, with no default members in those groups.

Just my random thoughts.  I'm very new to OBSD and have been using
Debian since before it trended towards clicky-pointy Lindows. :)

Doug.