You can use device allocation to decrease the security risk that is associated with various removable media.
The following task map describes the major steps that are required to define a new allocatable device.
Task |
Description |
For Instructions |
---|---|---|
1. Create or change an entry in the device_allocate file |
Defines which devices are controlled by the device-allocation mechanism. | |
2. Create a lock file |
Enables the device allocation mechanism to work on a specific device. | |
3. (Optional) Create a device-clean script |
Purges data from a physical device. | |
4. Allocate the device |
Adds a device to the device-allocation mechanism. | |
5. (Optional) Deallocate the device |
Removes a device from use. |
The lock files are zero-length files that are created in the /etc/security/dev directory. One file is created for each allocatable device. If no lock file exists for a device, the device cannot be allocated, so no one can access the device.
Become superuser or assume an equivalent role.
Obtain the device name for the device from its entry in the device_maps file by using the dminfo command.
See The device_maps File and the dminfo(1M) and device_maps(4) man pages. For example, the device name for device type st is st0. In the next step, you use the device name as the name of the lock file.
Create an empty lock file for the device by using the touch command.
Use the device name for the file name in place of device-name.
# cd /etc/security/dev # touch device-name # chmod 600 device-name # chown bin device-name # chgrp bin device-name |
This procedure defines which devices can be used with the device allocation mechanism.
Become superuser or assume an equivalent role.
Determine which devices are listed in the /etc/security/device_allocate file.
Decide if there are devices that are not in the device_allocate file, yet should be made allocatable.
Edit the device_allocate file and add the new device.
Each entry should use the following format:
device-name;device-type;;;;program |
Specifies the name of the device
Specifies the device type
Specifies the purge program to be run
Become superuser or assume an equivalent role.
Use the allocate command with a device that is specified by device name.
sar1% allocate st0 |
You can also allocate a device by device type by using the -g option to the allocate command.
If the command cannot allocate the device, an error message is displayed in the console window. For a list of allocation error messages, see the allocate(1) man page.
Only the user who ran the allocate command can use the printer.
sarl% allocate /dev/lp/chestnut |
Deallocation enables other users to allocate and use the device when you are finished.
Deallocate a device by using the deallocate command followed by the device file name.
sar1% deallocate st0 |
To deallocate a printer that is named chestnut, type the following command:
# deallocate /dev/lp/chestnut |
Devices that a user has allocated are not automatically deallocated when the process terminates or when this user logs out. You most commonly need to use the following form of the deallocate command when a user forgets to deallocate a specific device. The following command deallocates the device so that others users can allocate the device.
# deallocate -F st0 |
You can deallocate all devices only at system initialization time.
# deallocate -I |