Local workstation permissions was: Why newbies don't RTFM

I suspect the easiest way to do it would be to dynamically maintain a group for "users logged in at the console", and give this group permissions for anything that should be accessible to the users of a single-user workstation. Some things would be as simple as doing something like -------- chgrp localusersdev-ttyS1 chmod 770dev-ttys1 -------- , and things that involve mucking about with kernel data and not just accessing files could be handled with wrappers that check local-users group membership, check and-or sanitize arguments, and then perform the operation with the required priveliges. F'rexample, mounting removeable media and network shares could be done by a wrapper around mount that checks the group membership, makes sure the device-like thing being mounted is in the acceptable mounts list, and checks that the mount point is, say, either under the user's home directory or undermnt without something already mounted there, and then mounts the device if all of these checks pbutt.

This wouldn't directly give local users the ability to do these things, but it's a workaround that with care and tuning could be made almost completely invisible, and it doesn't involve any drastic changes in how things work underneath.

If it weren't so drastic, abandoning the Unix permissions model would be the better way to do things. That way you could define things like that as requiring "workstation-control" access, and just give any user or process connected to the console that access along with whatever other access they've authenticated themselves suitably for.

dave

-- There is an international standard unit for just about every measurable quanbreasty, and the US ignores most of them. --Joona I Palaste in comp.lang.c