User access to removable media

that is to say floppy disks, cdroms, dvds and the various usb devices which people insert into their computers nowadays. On Windows system one can typically just insert the medium and, hey presto, it is available. In the wonderful world of Unix that kind of access is (rightly) seen as a security risk - anyone can do anything they like to your computer by such means, and access is therefore normally limited to the root user, a sober and safe individual.

But I want to live dangerously - I don't want the pain of changing to root on my machine every time I want access a floppy or cd, and on a machine used mainly by myself it is safe enough so .......

Step 1.

Allow users to run the mount command to actually mount a filesystem and to allow them to run the umount command. This is done by adding the following line to the /etc/sysctl.conf file.

  vfs.usermount=1

That will come into effect at a re-boot, but can be started straight away by

  sysctl vfs.usermount=1

Step 2 Permission to mount

As a security measure, only root and members of the group (operator) will be allowed to mount these devices. In order to allow anybody from the operator group to mount the floppy and cdrom devices, the device ownership and permission settings need to be changed to:

crw-rw—- root:operator

While this command can be issued by root, the device owner and permissions will be reset the next time the system is restarted. To make this change permanent, we need to add the following entries to the /etc/devfs.conf file.

Allow members of the group operator to mount the floppy disk.

    own /dev/fd0 root:operator
    perm /dev/fd0 0660

Allow members of the group operator to mount the cdrom.

    own /dev/acd0 root:operator
    perm /dev/acd0 0660

The next time the system is started, all members of the group operator may mount and unmount the CDROM and Floppy Drive to directories that they own. In order to allow all users permission to mount a device, set the permission value to 0666 - but that would remove a useful level of control.

A regular user can now issue the commands:

    mkdir ~/cdrom
    mount -t cd9660 /dev/acd0 ~/cdrom
    umount ~/cdrom

Step 3 tidying up

By means of the file-sysytem-table file, /etc/fstab .

There can be multiple entries in the same fstab file for a single device - this allows an entry for each user to use. All users cannot use the same mount point since they all cannot own the generic mount point. The relevant entries in my fstab file look like this:

    /dev/fd0 /mnt/floppy auto noauto 0 0
    /dev/fd0 /home/glyn/mnt auto noauto 0 0
    /dev/acd1 /mnt/cdrom cd9660 ro,noauto 0 0
    /dev/acd1 /home/glyn/mnt cd9660 ro,noauto 0 0

The mount points in /mnt are owned by root while the mount points in /home/glyn are owned by glyn. Now, for example, user glyn can mount the CDROM device by typing:

  mount ~/mnt

Back to FreeBSD page

Last edited: Tue Aug 31 23:41:09 BST 2010