Mentioned Solaris and system dependent drive permission settings

This commit is contained in:
Thomas Schmitt 2010-06-10 18:15:56 +00:00
parent 6e0cd74a48
commit 6830ca297c
4 changed files with 166 additions and 68 deletions

View File

@ -41,8 +41,8 @@ components:
plus on FreeBSD: libiconv, libcam, IDE and SATA drives need atapicam
Optional at compile time are:
libreadline and the readline-dev headers make dialog mode more convenient.
on GNU/Linux: libacl and libacl-devel allow getting and setting ACLs.
zlib and zlib-devel allow zisofs compression.
on GNU/Linux: libacl and libacl-devel allow getting and setting ACLs.
If they were present at compile time, then the optional libraries have to
be present at runtime, too.
@ -134,24 +134,29 @@ A list of rw-accessible drives can be obtained by
xorriso -devices
CD devices which offer no rw-permission are invisible to normal users.
CD devices which offer not enough permission are invisible to normal users.
The superuser should be able to see any usable drive and then set the
permissions as needed.
On Linux and FreeBSD, rw-permissions are needed.
On Solaris, the privilege "sys_devices" and r-permission are needed.
The output of xorriso -devices might look like
0 -dev '/dev/sr0' rwrw-- : 'TSSTcorp' 'CDDVDW SH-S203B'
1 -dev '/dev/hda' rwrw-- : 'HL-DT-ST' 'DVD-ROM GDR8162B'
Full and insecure enabling of both for everybody would look like
On Linux, full and insecure enabling of both for everybody would look like
chmod a+rw /dev/sr0 /dev/hda
This is equivalent to the traditional setup chmod a+x,u+s cdrecord.
On FreeBSD, device permissions are to be set in /etc/devfs.rules.
On Solaris, pfexec privileges may be restricted to "base,sys_devices".
See below "System Dependend Drive Permission Examples".
I strongly discourage to run xorriso with setuid root or via sudo !
It is not checked for the necessary degree of hacker safety.
Consider to put all authorized users into group "floppy", to chgrp the
device file to that group and to disallow w-access to others.
Better consider to grant the necessary permissions to group "floppy"
and to add users to it.
A possible source of problems are hald or other automounters.
@ -293,6 +298,83 @@ setup unless you have reason to enforce a newer bug fix level.
GNU xorriso has less runtime dependencies and can be moved more freely.
System Dependend Drive Permission Examples
Accessing the optical drives requires privileges which usually are granted
only to the superuser. GNU/Linux, FreeBSD and Solaris offer quite different
approaches for avoiding the need for unrestricted privileges.
First check whether some friendly system setting already allows you to
access the drives as normal user:
xorriso -devices
Those drives of which you see address and type strings are already usable.
If there remain drives invisible which the superuser can see by the same
command, then the following examples might help:
---------------------
On all three systems:
---------------------
Add the authorized users of CD drives to group "floppy" in /etc/group.
If missing: create this group.
Changes to /etc/group often only affect new login sessions. So log out and in
before making the first tests.
-------------
On GNU/Linux:
-------------
Allow rw-access to the drives
chgrp floppy /dev/sr0 /dev/sr1
chmod g+rw /dev/sr0 /dev/sr1
It might be necessary to perform chgrp and chmod after each reboot or to
edit distro dependent device configuration files for permanent settings.
-----------
On FreeBSD:
-----------
Edit /etc/devfs.rules and make sure to have these lines
[localrules=10]
add path 'acd*' mode 0664 group floppy
add path 'cd*' mode 0664 group floppy
add path 'pass*' mode 0664 group floppy
add path 'xpt*' mode 0664 group floppy
[localrules=5]
add path 'pass*' mode 0664 group floppy
add path 'cd*' mode 0664 group floppy
add path 'xpt*' mode 0664 group floppy
add path 'acd*' mode 0664 group floppy
Edit /etc/rc.conf and add the following line if missing
devfs_system_ruleset="localrules"
This gets into effect by reboot or by command
/etc/rc.d/devfs start
-----------
On Solaris:
-----------
Run xorriso by
pfexec xorriso ...arguments...
The following settings will make pfexec keep original UID and EUID and prevent
most superuser powers. Be aware that you still can manipulate all device files
if you have the file permissions for that.
Full root privileges for xorriso can then be aquired only by command su.
Edit /etc/security/exec_attr and add this line to the other "Media Backup"
lines:
Media Backup:solaris:cmd:::/usr/local/bin/xorriso:privs=basic,sys_devices
Edit /etc/user_attr and add profile "Media Backup" to the user's line:
thomas::::profiles=Media Backup,Primary Administrator;roles=root
See also man privileges, man exec_attr, man user_attr.
Then allow the group r-access to the drives
pfexec chgrp floppy /dev/rdsk/c3t0d0s2 /dev/rdsk/c4t0d0s2
pfexec chmod g+r /dev/rdsk/c3t0d0s2 /dev/rdsk/c4t0d0s2
The last two commands have to be executed after each boot. I do not know
the relevant device configuration files yet.
------------------------------------------------------------------------------
This program is free software; you can redistribute it and/or modify

View File

@ -9,7 +9,7 @@
.\" First parameter, NAME, should be all caps
.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
.\" other parameters are allowed: see man(7), man(1)
.TH XORRISO 1 "May 22, 2010"
.TH XORRISO 1 "Jun 10, 2010"
.\" Please adjust this date whenever revising the manpage.
.\"
.\" Some roff macros, for reference:
@ -291,6 +291,10 @@ On FreeBSD the device files have names like
.br
-dev /dev/cd0
.br
On OpenSolaris:
.br
-dev /dev/rdsk/c4t0d0s2
.br
Get a list of accessible drives by command
.br
-devices
@ -3145,7 +3149,7 @@ Personality "\fBmkisofs\fR" accepts the options listed with:
Among them: -R (always on), -r, -J, -o, -M, -C, -path-list, -m, -exclude-list,
-f, -print-size, -pad, -no-pad, -V, -v, -version, -graft-points, -z,
-no-emul-boot, -b, -c, -boot-info-table, -boot-load-size, -input-charset, -G,
-output-charset, pathspecs as with xorriso -add.
-output-charset, -U, pathspecs as with xorriso -add.
A lot of options are not supported and lead to failure of the mkisofs
emulation. Some are ignored, but better do not rely on this tolerance.
.br
@ -3497,8 +3501,10 @@ Restore directory trees from a particular ISO session to disk
Try to retrieve blocks from a damaged media
.SS
.B As superuser learn about available drives
Consider to give rw permissions to those users or groups
On Linux or FreeBSD consider to give rw-permissions to those users or groups
which shall be able to use the drives with xorriso.
On Solaris use pfexec. Consider to restrict privileges of xorriso to
"base,sys_devices" and to give r-permission to user or group.
.br
$ xorriso -devices
.br
@ -4013,7 +4019,7 @@ for libburnia-project.org
.SH COPYRIGHT
Copyright (c) 2007 - 2010 Thomas Schmitt
.br
Permission is granted to distrubute this text freely. It shall only be
Permission is granted to distribute this text freely. It shall only be
modified in sync with the technical properties of xorriso. If you make use
of the license to derive modified versions of xorriso then you are entitled
to modify this text under that same license.

View File

@ -265,6 +265,8 @@ character device. E.g.
-dev /dev/sg2
On FreeBSD the device files have names like
-dev /dev/cd0
On OpenSolaris:
-dev /dev/rdsk/c4t0d0s2
Get a list of accessible drives by command
-devices
It might be necessary to do this as *superuser* in order to see all
@ -2816,10 +2818,10 @@ programs trigger comparable actions.
Among them: -R (always on), -r, -J, -o, -M, -C, -path-list, -m,
-exclude-list, -f, -print-size, -pad, -no-pad, -V, -v, -version,
-graft-points, -z, -no-emul-boot, -b, -c, -boot-info-table,
-boot-load-size, -input-charset, -G, -output-charset, pathspecs as
with xorriso -add. A lot of options are not supported and lead to
failure of the mkisofs emulation. Some are ignored, but better do
not rely on this tolerance.
-boot-load-size, -input-charset, -G, -output-charset, -U,
pathspecs as with xorriso -add. A lot of options are not
supported and lead to failure of the mkisofs emulation. Some are
ignored, but better do not rely on this tolerance.
-graft-points is equivalent to -pathspecs on. Note that pathspecs
without "=" are interpreted differently than with xorriso option
-add. Directories get merged with the root directory of the ISO
@ -3117,8 +3119,10 @@ File: xorriso.info, Node: ExDevices, Next: ExCreate, Prev: Frontend, Up: Exa
10.1 As superuser learn about available drives
==============================================
Consider to give rw permissions to those users or groups which shall be
able to use the drives with xorriso.
On Linux or FreeBSD consider to give rw-permissions to those users or
groups which shall be able to use the drives with xorriso. On Solaris
use pfexec. Consider to restrict privileges of xorriso to
"base,sys_devices" and to give r-permission to user or group.
$ xorriso -devices
0 -dev '/dev/sr0' rwrw-- : '_NEC ' 'DVD_RW ND-4570A'
@ -3614,7 +3618,7 @@ for libburnia-project.org
==============
Copyright (c) 2007 - 2010 Thomas Schmitt
Permission is granted to distrubute this text freely. It shall only be
Permission is granted to distribute this text freely. It shall only be
modified in sync with the technical properties of xorriso. If you make
use of the license to derive modified versions of xorriso then you are
entitled to modify this text under that same license.
@ -4059,51 +4063,51 @@ Node: Model3209
Node: Media6089
Node: Methods8519
Node: Drives11066
Node: Extras14332
Node: Processing17730
Node: Dialog21226
Node: Options22883
Node: AqDrive24451
Node: Loading27357
Node: Insert39792
Node: SetInsert48149
Node: Manip56716
Node: CmdFind64592
Node: Filter73937
Node: Writing78286
Node: SetWrite84575
Node: Bootable94859
Node: Charset102607
Node: Exception105361
Node: DialogCtl109876
Node: Inquiry112221
Node: Navigate116361
Node: Verify123715
Node: Restore132135
Node: Emulation138791
Node: Scripting145660
Node: Frontend151222
Node: Examples152423
Node: ExDevices153592
Node: ExCreate154074
Node: ExDialog155348
Node: ExGrowing156610
Node: ExModifying157412
Node: ExBootable157913
Node: ExCharset158460
Node: ExPseudo159288
Node: ExCdrecord160182
Node: ExMkisofs160497
Node: ExGrowisofs161500
Node: ExException162624
Node: ExTime163078
Node: ExIncBackup163537
Node: ExRestore167009
Node: ExRecovery167978
Node: Files168544
Node: Seealso169582
Node: Legal170106
Node: CommandIdx171028
Node: ConceptIdx184329
Node: Extras14372
Node: Processing17770
Node: Dialog21266
Node: Options22923
Node: AqDrive24491
Node: Loading27397
Node: Insert39832
Node: SetInsert48189
Node: Manip56756
Node: CmdFind64632
Node: Filter73977
Node: Writing78326
Node: SetWrite84615
Node: Bootable94899
Node: Charset102647
Node: Exception105401
Node: DialogCtl109916
Node: Inquiry112261
Node: Navigate116401
Node: Verify123755
Node: Restore132175
Node: Emulation138831
Node: Scripting145704
Node: Frontend151266
Node: Examples152467
Node: ExDevices153636
Node: ExCreate154270
Node: ExDialog155544
Node: ExGrowing156806
Node: ExModifying157608
Node: ExBootable158109
Node: ExCharset158656
Node: ExPseudo159484
Node: ExCdrecord160378
Node: ExMkisofs160693
Node: ExGrowisofs161696
Node: ExException162820
Node: ExTime163274
Node: ExIncBackup163733
Node: ExRestore167205
Node: ExRecovery168174
Node: Files168740
Node: Seealso169778
Node: Legal170302
Node: CommandIdx171224
Node: ConceptIdx184525

End Tag Table

View File

@ -19,7 +19,7 @@
@c The first line gets discarded.
@c Line start "@c man " will become "", the remainder is put out unaltered.
@c Lines "@*" will be converted to ".br"
@c @c man-ignore-lines N will discard N following lines.
@c "@c man-ignore-lines N" will discard N following lines.
@c "@c man-ignore-lines begin" discards all following lines
@c up to "@c man-ignore-lines end".
@c Line blocks of "@menu" "@end menu" will be discarded.
@ -44,7 +44,7 @@
@c man .\" First parameter, NAME, should be all caps
@c man .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
@c man .\" other parameters are allowed: see man(7), man(1)
@c man .TH XORRISO 1 "May 22, 2010"
@c man .TH XORRISO 1 "Jun 10, 2010"
@c man .\" Please adjust this date whenever revising the manpage.
@c man .\"
@c man .\" Some roff macros, for reference:
@ -410,6 +410,10 @@ On FreeBSD the device files have names like
@*
-dev /dev/cd0
@*
On OpenSolaris:
@*
-dev /dev/rdsk/c4t0d0s2
@*
Get a list of accessible drives by command
@*
-devices
@ -3766,7 +3770,7 @@ Personality "@strong{mkisofs}" accepts the options listed with:
Among them: -R (always on), -r, -J, -o, -M, -C, -path-list, -m, -exclude-list,
-f, -print-size, -pad, -no-pad, -V, -v, -version, -graft-points, -z,
-no-emul-boot, -b, -c, -boot-info-table, -boot-load-size, -input-charset, -G,
-output-charset, pathspecs as with xorriso -add.
-output-charset, -U, pathspecs as with xorriso -add.
A lot of options are not supported and lead to failure of the mkisofs
emulation. Some are ignored, but better do not rely on this tolerance.
@*
@ -4206,8 +4210,10 @@ Use text as name of this program and perform -help.
@c man .B As superuser learn about available drives
@node ExDevices, ExCreate, Frontend, Examples
@section As superuser learn about available drives
Consider to give rw permissions to those users or groups
On Linux or FreeBSD consider to give rw-permissions to those users or groups
which shall be able to use the drives with xorriso.
On Solaris use pfexec. Consider to restrict privileges of xorriso to
"base,sys_devices" and to give r-permission to user or group.
@*
@sp 1
$ xorriso -devices
@ -4886,7 +4892,7 @@ for libburnia-project.org
@section Copyright
Copyright (c) 2007 - 2010 Thomas Schmitt
@*
Permission is granted to distrubute this text freely. It shall only be
Permission is granted to distribute this text freely. It shall only be
modified in sync with the technical properties of xorriso. If you make use
of the license to derive modified versions of xorriso then you are entitled
to modify this text under that same license.