See below for thanks, two longer answers, and my original question,
but the short answer, as written by Paul Sand, is:
> Phil --
>
> Our backup scripts chown the tape device to root and chmod it to 0600
> to prevent users from messing with it. In shell, for example:
>
> chown root /dev/*mt0*
> chmod 600 /dev/*mt0*
>
> When a user mounts a tape for his or her own use, our operators have
> a `sudo' script to do the same thing on their behalf. Presumably you
> could do the same thing with a setuid program the users could run
> themselves, but I haven't done that.
>
> --
> -- Paul A. Sand | Don't get brainwashed by your
> -- University of New Hampshire | education into thinking that all the
> -- pas_at_unh.edu | answers have to come from teachers.
> -- http://pubpages.unh.edu/~pas | (Larry Wall)
As usual, correct answers started arriving before I even received a
copy of my original question. Thanks to:
alan_at_nabeth.cxo.dec.com
rwa_at_cs.athabascau.ca (Ross Alexander)
"Dr. Tom Blinn, 603-884-0646" <tpb_at_zk3.dec.com>
Steve Crothers <steve_at_eiscat.ag.rl.ac.uk>
Paul A Sand <pas_at_unh.edu>
Gyula Szokoly <szgyula_at_tarkus.pha.jhu.edu>
Simon Tardell <Simon.Tardell_at_physto.se>
David Warren <warren_at_atmos.washington.edu>
(Sorry if I left anybody out.)
Here are two longer answers from alan_at_nabeth.cxo.dec.com and Dr. Tom
Blinn:
> Subject: Re: Can you "allocate" a DU tape drive?
> Date: Wed, 10 Dec 97 11:29:44 -0700
> From: alan_at_nabeth.cxo.dec.com
> To: Phil Rand <prand_at_paul.spu.edu>
>
> Once the tape is open, you're protected because the tape
> driver should only allow exclusive use. I haven't checked
> recently to see if this has changed. When the tape is close
> protection is provided by the device permissions. If you
> don't want a random user doing something to the tape while
> your backup procedure is using it, remove the permissions
> he needs to open it. From a backup script that should be
> pretty easy.
>
> Your real problem is when the backup script isn't running.
> As long as the tape is still in the drive, the data is at
> risk if somebody can bring it back online or it wasn't
> taken offline at the end of the backup. Again, you need
> to be able to open the device, so careful use of permissions
> should be enough.
>
> I've heard of 3rd party products that provided an allocation
> service and I think they just have a setuid program that
> changes the ownership and permission so that only the user
> with the device allocated can use it. The problem such
> software has is that if the user doesn't deallocate it
> when done, the software has to find a way to determine
> that it is no longer in use, or wait until root resets the
> permissions to the "free" state.
> Subject: Re: Can you "allocate" a DU tape drive?
> Date: Wed, 10 Dec 97 13:55:34 -0500
> From: "Dr. Tom Blinn, 603-884-0646" <tpb_at_zk3.dec.com>
> To: Phil Rand <prand_at_paul.spu.edu>
[snipped quotation of original question]
> It is to laugh, right? I mean, surely you've read the "UNIX Hater's"
> handbook and know by now that UNIX is a power tool, which means you can
> use it to cut off your various appendages or otherwise mangle them.
>
> The deficiencies you identify in UNIX's tape handling for a commercial
> environment are all very real. There is no mechanism in UNIX in general
> or in DIGITAL UNIX in particular to do what you describe, or anything much
> like it, short of opening the tape unit in question as a file (which once
> you do it will make it inaccessible to others), or doing something such as
> removing the tape unit device names (generally, root owns them but other
> users are allowed read/write access) or protecting them to prevent access by
> Joe Random User.
>
> Tom
>
> Dr. Thomas P. Blinn, UNIX Software Group, Digital Equipment Corporation
> 110 Spit Brook Road, MS ZKO3-2/U20 Nashua, New Hampshire 03062-2698
> Technology Partnership Engineering Phone: (603) 884-0646
> Internet: tpb_at_zk3.dec.com Digital's Easynet: alpha::tpb
> ACM Member: tpblinn_at_acm.org PC_at_Home: tom_at_felines.mv.net
>
> Worry kills more people than work because more people worry than work.
>
> Keep your stick on the ice. -- Steve Smith ("Red Green")
>
> My favorite palindrome is: Satan, oscillate my metallic sonatas.
> -- Phil Agre, pagre_at_ucsd.edu
>
> Opinions expressed herein are my own, and do not necessarily represent
> those of my employer or anyone else, living or dead, real or imagined.
My original question:
> I've been a Digital Unix system administrator for years, now, but I'm
> still amazed at my own ignorance, sometimes.
>
> On VMS, if you want to handle a tape securely, you can issue the
> "allocate" command to give your process (job?) sole control over the tape
> drive before physically loading the tape. While you have the tape
> allocated, nobody else can get access (I think privileged processes can
> break it away from you, but I've never had to learn how to do that). When
> you're done, after you've physically unloaded the tape, you deallocate the
> drive, so the next guy or gal can use it.
>
> What is there on Digital Unix (or Unix in general) to do this?
>
> I suppose tape devices must be protected against multiple access during
> actual operation somehow, but what keeps some other user from accessing my
> tape between the time when I physically load it and when I issue a tar,
> vdump, or other tape access command?
>
> We load backup tapes before we leave at the end of the day, and the backup
> process runs under a cron job early the next morning. Is there anything
> we should be doing to protect potentially sensitive data from previous
> backups on that tape? What stops Joe Random User from typing "mt
> offline", making our backup fail?
>
> Surely products like Networker Save/Restore have a solution to this, don't
> they?
>
> I'll summarize any answers I receive. Thanks in advance!
>
> --
> -- Phil Rand <prand_at_spu.edu> aka <postmaster_at_spu.edu>
> -- Computer & Information Systems (206) 281-2428
> -- Seattle Pacific University, 3307 3rd Ave W, Seattle, WA 98119
> -- http://paul.spu.edu/~prand/
> --
> "One person CAN change the world, but most of the time,
> you probably shouldn't." -- Marge Simpson
Received on Fri Dec 12 1997 - 18:44:50 NZDT