Using the Device-Allocation Commands
This section describes some of the options to the allocate, deallocate, and list_devices commands that are usable only by root or a role of equivalent power. The commands are detailed on their respective man pages.
- allocate -F device_special_filename
Reallocates the specified device. This option is often used with the -U option to reallocate the specified device to the specified user. Without the -U option, the device is allocated to root.
- allocate -U username
Causes the device to be allocated to the user who is specified rather than to the current user. This option allows you to allocate a device for another user while you are root, without having to assume that user's identity.
- deallocate -F device_special_filename
Forces the deallocation of a device. Devices that a user has allocated are not automatically deallocated when the process terminates or when the user logs out. When a user forgets to deallocate a tape drive, you can force deallocation by using the -F option while you are root.
- deallocate -I
Forces the deallocation of all allocatable devices. This option should be used only at system initialization.
- list_devices
Lists all the device-special files that are associated with any device that is listed in the device_maps file.
- list_devices -U username
Lists the devices that are allocatable or allocated to the user ID that is associated with the specified user name. This option allows you to check which devices are allocatable or allocated to another user while you are root.
The Allocate Error State
An allocatable device is in the allocate error state if it is owned by user bin and group bin with a device-special file mode of 0100. If a user wants to allocate a device that is in the allocate error state, you should try to force the deallocation of the device, by using the deallocate command with the -F option. Or, you can use allocate -U to assign the device to the user, then investigate any error messages that appear. After any problems with the device are corrected, you must rerun the deallocate -F or allocate -F command to clear the allocate error state from the device.
The device_maps File
You can examine the /etc/security/device_maps file to determine the device names, device types, and device-special files that are associated with each allocatable device. See the device_maps(4) man page. Device maps are created when you set up device allocation. A rudimentary device_maps file is created by bsmconv when the BSM is enabled. This initial device_maps file should be used only as a starting point. You can then augment and customize the device_maps file for your site.
The device_maps file defines the device-special file mappings for each device, which in many cases is not intuitive. This file allows various programs to discover which device-special files map to which devices. You can use the dminfo command, for example, to retrieve the device name, the device type, and the device-special files to specify when you set up an allocatable device. The dminfo command uses the device_maps file to report this information.
Each device is represented by a one-line entry of the form:
device-name:device-type:device-list
Lines in the device_maps file can end with a backslash (\) to continue an entry on the next line. Comments can also be included. A "#" makes a comment out of all subsequent text until the next newline not immediately preceded by a backslash. Leading and trailing blanks are allowed in any field.
- device-name
Specifies the name of the device, for example st0, fd0, or audio. The device name that is specified here must correspond to the name of the lock file that is used in the /etc/security/dev directory.
- device-type
Specifies the generic device type (which is the name for the class of devices, such as st, fd, audio). The device-type field logically groups related devices.
- device-list
Lists of the device-special files that are associated with the physical device. The device-list must contain all of the special files that allow access to a particular device. If the list is incomplete, a malevolent user can still obtain or modify private information. Valid entries for the device-list field are either the real device files located under /devices or the symbolic links that are in /dev. The symbolic links in the /dev directory are provided for binary compatibility.
The following is an example of a device_maps file entries for SCSI tape st0 and diskette fd0.
fd0:\ fd:\ /dev/fd0 /dev/fd0a /dev/fd0b /dev/rfd0 /dev/rfd0a /dev/rfd0b:\ . . . st0:\ st:\ /dev/rst0 /dev/rst8 /dev/rst16 /dev/nrst0 /dev/nrst8 /dev/nrst16:\ |
The device_allocate File
You can modify the device_allocate file to change devices from allocatable to nonallocatable, or to add new devices. A sample device_allocate file follows.
st0;st;;;;/etc/security/lib/st_clean fd0;fd;;;;/etc/security/lib/fd_clean sr0;sr;;;;/etc/security/lib/sr_clean audio;audio;;;*;/etc/security/lib/audio_clean |
You define which devices should be allocatable during initial BSM configuration. You can decide to accept the default devices and their defined characteristics, as shown in the preceding sample device_allocate file. Whenever you add a device to any machine after the system is up and running, you must decide whether to make the new device allocatable.
After installation, you can modify the entries for devices in the device_allocate file. Any device that needs to be allocated before use must be defined in the device_allocate file on each machine. Currently, cartridge tape drives, diskette drives, CD-ROM devices, and audio chips are considered allocatable and have device-clean scripts.
Note - Xylogics™ tape drives or Archive tape drives also use the st_clean script that is supplied for SCSI devices. Other devices that you can make allocatable are modems, terminals, graphics tablets, and similar devices. However, you need to create your own device-clean scripts for such devices, and the script must fulfill object-reuse requirements for that type of device.
An entry in the device_allocate file does not mean that the device is allocatable, unless the entry specifically states that the device is allocatable. In the sample device_allocate file, note the asterisk (*) in the fifth field of the audio device entry. An asterisk in the fifth field indicates to the system that the device is not allocatable. That is, the system administrator does not require a user to allocate the device before it is used nor to deallocate it afterward. Any other string placed in this field indicates that the device is allocatable.
In the device_allocate file, you represent each device by a one-line entry of the form:
device-name;device-type;reserved;reserved;alloc;device-clean |
For example, the following line shows the entry for device name st0:
st0;st;;;;;/etc/security/lib/st_clean |
Lines in the device_allocate file can end with a "\" to continue an entry on the next line. Comments can also be included. A "#" makes a comment out of all subsequent text until the next newline not immediately preceded by a "\". Leading and trailing blanks are allowed in any field.
The following paragraphs describe each field in the device_allocate file.
- device-name
Specifies the name of the device; for example, st0, fd0, or sr0. When you make a device allocatable, retrieve the device-name from the device-name field in the device_maps file, or use the dminfo command. (The name is also the DAC file name for the device.)
- device-type
Specifies the generic device type (which is the name for the class of devices, such as st, fd, and sr). This field groups related devices. When you make an allocatable device, retrieve the device-type from the device-type field in the device_maps file, or use the dminfo command.
- reserved
These two fields are reserved for future use.
- alloc
Specifies whether the device is allocatable. An asterisk (*) in this field indicates that the device is not allocatable. Any other string, or an empty field, indicates that the device is allocatable.
- device-clean
Supplies the path name of a script to be invoked for special handling, such as cleanup and object-reuse protection during the allocation process. The device-clean script is run any time that the device is acted on by the deallocate command, such as when a device is forcibly deallocated with deallocate -F.
Device-Clean Scripts
The device-clean scripts address the security requirement that all usable data be purged from a physical device before reuse. By default, cartridge tape drives, diskette drives, CD-ROM devices, and audio devices require device-clean scripts, which are provided. This section describes what device-clean scripts do.
Object Reuse
Device allocation satisfies part of the object-reuse requirement. The device-clean scripts make sure that data that is left on a device by one user is cleared before the device is allocatable by another user.
Device-Clean Script for Tapes
The st_clean device-clean script supports three tape devices. The supported tape devices are:
SCSI 1/4-inch tape
Archive 1/4-inch tape
Open-reel 1/2-inch tape
The st_clean script uses the rewoffl option to the mt command to affect the device cleanup. For more information, see the mt(1) man page. If the script runs during system boot, it queries the device to see if the device is online and has media in it. The 1/4-inch tape devices that have media in them, are placed in the allocate error state to force the administrator to clean up the device manually.
During normal system operation, when the allocate or deallocate command is executed in interactive mode, the user is prompted to remove the media from the device that is being deallocated. The script pauses until the media is removed from the device.
Device-Clean Scripts for Diskettes and CD-ROM Devices
The following table shows the device-clean scripts for diskettes and CD-ROM devices.
Table 25-9 Device-Clean Scripts for Diskettes and CD-ROM Devices
Disk Device Type | Device-Clean Script |
|---|---|
Diskette | |
CD-ROM |
The scripts use the eject command to remove the media from the drive. See the eject(1) man page. If the eject command fails, the device is placed in the allocate error state.