SUMMARY:How to block access to tape device ?

Date: Thu Oct 09 1997 - 07:39:55 CDT

Hello Sunmanagers

Some time back I had asked for ways to lock access to a tape
device while taking backup.

Here's my original post :

> I have this problem while doing a backup - I have to back up
> about 10 GB data every week for which I use ufsdump on Solaris
> 2.5.1 running on Ultra2. The 8mm DAT drive is half a mile (well
> almost!) away from where I sit. Every time I have to change
> volumes on the DAT I have to run this distance and do the
> needful. My worry is that in the while that ufsdump is waiting
> for the next volume to be inserted, anybody can write to the
> volume already inside the DAT drive, or eject using the mt
> command.
> Is there a way by which I can block off access to the tape
> device, so that I know for sure that no one is able to disrupt
> my backups. Naturally I should be able to restore access once
> my job is done.
> I urgently require a solution to this as we have only one
> 8mm DAT which everybody uses, and often there have been
> accidental overwrites by one guy on another guy's tape.

I have received the following basic suggestions :

1> Francois Leclerc ( had suggested an RTFM in system
   administration answerbook and search for C2 features allocate,
   deallocate. There is a bsmconv script in /etc/security which enables
        the basic security module, after which allocate and deallocate
        utilities can be used to lock and unlock access to a specified device.

2> Matthew ( suggested to use the "-l" option
        of ufsdump. This automatically rewinds and ejects the tape when
        the end of tape is reached.

3> All the others have suggested writing a wrapper script that
   basically does a chown (to the login id using the tape device) and
   chmod on the device files (in my case /dev/rst9 /dev/nrst9) for the
        duration of the backup procedure, after which file ownership
        and permissions are restored to root.

Here are the setuid scripts that I have concocted for my site.

# file : lock_tape
# usage : lock_tape
# This should have the permissions -
# -rws--x--x 1 root staff 349 Oct 1 19:01 lock_tape*

owner=`ls -l /dev/?rst9 | tr -s " " " " | cut -f3 -d" "`
if [ $owner = "root" ]
        echo "Locking tape device $TAPE for $USER..."
        chown $USER /dev/nrst9 /dev/rst9
        chmod go-rw /dev/nrst9 /dev/rst9
        echo "Please run unlock_tape after you finish your job"
        echo "Locked by $owner already ... "
        echo "Try after some time ... "

# file : unlock_tape
# usage : unlock_tape
# This should have the permissions -
# -rws--x--x 1 root staff 349 Oct 1 19:01 unlock_tape*

owner=`ls -l /dev/?rst9 | tr -s " " " " | cut -f3 -d" "`
if [ $owner = $USER ]
        echo "Unlocking tape device $TAPE..."
        chown root /dev/nrst9 /dev/rst9
        chmod go+rw /dev/nrst9 /dev/rst9
        echo "$TAPE has been locked by $owner ... "
        echo "Cannot unlock $TAPE "


But in case you want to lock the tape device as root use the following
scripts. These scripts essentially remove the suid bits from the
earlier two scripts and removes rw permissions for others.

# file : lock_tape_root
# usage : lock_tape_root
# This should have the permissions -
# -rwx------ 1 root daemon 247 Oct 1 18:28 lock_tape_root*

echo "Removing setuid from lock_tape & unlock_tape scripts."
echo "Locking tape access for root only ..."
chmod u-s /usr/bin/lock_tape /usr/bin/unlock_tape
chmod go-rw /dev/nrst9 /dev/rst9
echo "Remember to restore permissions ... "

# file : unlock_tape_root
# usage : unlock_tape_root
# This should have the permissions -
# -rwx------ 1 root daemon 247 Oct 1 18:28 unlock_tape_root*

echo "Restoring setuid on lock_tape & unlock_tape scripts."
chmod 04711 /usr/bin/lock_tape /usr/bin/unlock_tape
chmod go+rw /dev/nrst9 /dev/rst9

Thanks a lot to all who replied.

Jaydeep Kulkarni

This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:05 CDT