From 6830ca297c2361e670c6a70c16e1ac6e0f011cf2 Mon Sep 17 00:00:00 2001 From: Thomas Schmitt Date: Thu, 10 Jun 2010 18:15:56 +0000 Subject: [PATCH] Mentioned Solaris and system dependent drive permission settings --- libisoburn/trunk/xorriso/README_gnu_xorriso | 94 +++++++++++++++-- libisoburn/trunk/xorriso/xorriso.1 | 14 ++- libisoburn/trunk/xorriso/xorriso.info | 110 ++++++++++---------- libisoburn/trunk/xorriso/xorriso.texi | 16 ++- 4 files changed, 166 insertions(+), 68 deletions(-) diff --git a/libisoburn/trunk/xorriso/README_gnu_xorriso b/libisoburn/trunk/xorriso/README_gnu_xorriso index 62d643be..48158331 100644 --- a/libisoburn/trunk/xorriso/README_gnu_xorriso +++ b/libisoburn/trunk/xorriso/README_gnu_xorriso @@ -41,8 +41,8 @@ components: plus on FreeBSD: libiconv, libcam, IDE and SATA drives need atapicam Optional at compile time are: libreadline and the readline-dev headers make dialog mode more convenient. - on GNU/Linux: libacl and libacl-devel allow getting and setting ACLs. zlib and zlib-devel allow zisofs compression. + on GNU/Linux: libacl and libacl-devel allow getting and setting ACLs. If they were present at compile time, then the optional libraries have to be present at runtime, too. @@ -134,24 +134,29 @@ A list of rw-accessible drives can be obtained by xorriso -devices -CD devices which offer no rw-permission are invisible to normal users. +CD devices which offer not enough permission are invisible to normal users. The superuser should be able to see any usable drive and then set the permissions as needed. +On Linux and FreeBSD, rw-permissions are needed. +On Solaris, the privilege "sys_devices" and r-permission are needed. The output of xorriso -devices might look like 0 -dev '/dev/sr0' rwrw-- : 'TSSTcorp' 'CDDVDW SH-S203B' 1 -dev '/dev/hda' rwrw-- : 'HL-DT-ST' 'DVD-ROM GDR8162B' -Full and insecure enabling of both for everybody would look like +On Linux, full and insecure enabling of both for everybody would look like chmod a+rw /dev/sr0 /dev/hda This is equivalent to the traditional setup chmod a+x,u+s cdrecord. +On FreeBSD, device permissions are to be set in /etc/devfs.rules. +On Solaris, pfexec privileges may be restricted to "base,sys_devices". +See below "System Dependend Drive Permission Examples". + I strongly discourage to run xorriso with setuid root or via sudo ! It is not checked for the necessary degree of hacker safety. - -Consider to put all authorized users into group "floppy", to chgrp the -device file to that group and to disallow w-access to others. +Better consider to grant the necessary permissions to group "floppy" +and to add users to it. A possible source of problems are hald or other automounters. @@ -293,6 +298,83 @@ setup unless you have reason to enforce a newer bug fix level. GNU xorriso has less runtime dependencies and can be moved more freely. + System Dependend Drive Permission Examples + +Accessing the optical drives requires privileges which usually are granted +only to the superuser. GNU/Linux, FreeBSD and Solaris offer quite different +approaches for avoiding the need for unrestricted privileges. + +First check whether some friendly system setting already allows you to +access the drives as normal user: + xorriso -devices +Those drives of which you see address and type strings are already usable. + +If there remain drives invisible which the superuser can see by the same +command, then the following examples might help: + +--------------------- +On all three systems: +--------------------- +Add the authorized users of CD drives to group "floppy" in /etc/group. +If missing: create this group. +Changes to /etc/group often only affect new login sessions. So log out and in +before making the first tests. + +------------- +On GNU/Linux: +------------- +Allow rw-access to the drives + chgrp floppy /dev/sr0 /dev/sr1 + chmod g+rw /dev/sr0 /dev/sr1 +It might be necessary to perform chgrp and chmod after each reboot or to +edit distro dependent device configuration files for permanent settings. + +----------- +On FreeBSD: +----------- +Edit /etc/devfs.rules and make sure to have these lines + [localrules=10] + add path 'acd*' mode 0664 group floppy + add path 'cd*' mode 0664 group floppy + add path 'pass*' mode 0664 group floppy + add path 'xpt*' mode 0664 group floppy + [localrules=5] + add path 'pass*' mode 0664 group floppy + add path 'cd*' mode 0664 group floppy + add path 'xpt*' mode 0664 group floppy + add path 'acd*' mode 0664 group floppy + +Edit /etc/rc.conf and add the following line if missing + devfs_system_ruleset="localrules" + +This gets into effect by reboot or by command + /etc/rc.d/devfs start + +----------- +On Solaris: +----------- +Run xorriso by + pfexec xorriso ...arguments... + +The following settings will make pfexec keep original UID and EUID and prevent +most superuser powers. Be aware that you still can manipulate all device files +if you have the file permissions for that. +Full root privileges for xorriso can then be aquired only by command su. + +Edit /etc/security/exec_attr and add this line to the other "Media Backup" +lines: + Media Backup:solaris:cmd:::/usr/local/bin/xorriso:privs=basic,sys_devices +Edit /etc/user_attr and add profile "Media Backup" to the user's line: + thomas::::profiles=Media Backup,Primary Administrator;roles=root +See also man privileges, man exec_attr, man user_attr. + +Then allow the group r-access to the drives + pfexec chgrp floppy /dev/rdsk/c3t0d0s2 /dev/rdsk/c4t0d0s2 + pfexec chmod g+r /dev/rdsk/c3t0d0s2 /dev/rdsk/c4t0d0s2 +The last two commands have to be executed after each boot. I do not know +the relevant device configuration files yet. + + ------------------------------------------------------------------------------ This program is free software; you can redistribute it and/or modify diff --git a/libisoburn/trunk/xorriso/xorriso.1 b/libisoburn/trunk/xorriso/xorriso.1 index 83382319..f2d62028 100644 --- a/libisoburn/trunk/xorriso/xorriso.1 +++ b/libisoburn/trunk/xorriso/xorriso.1 @@ -9,7 +9,7 @@ .\" First parameter, NAME, should be all caps .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection .\" other parameters are allowed: see man(7), man(1) -.TH XORRISO 1 "May 22, 2010" +.TH XORRISO 1 "Jun 10, 2010" .\" Please adjust this date whenever revising the manpage. .\" .\" Some roff macros, for reference: @@ -291,6 +291,10 @@ On FreeBSD the device files have names like .br -dev /dev/cd0 .br +On OpenSolaris: +.br + -dev /dev/rdsk/c4t0d0s2 +.br Get a list of accessible drives by command .br -devices @@ -3145,7 +3149,7 @@ Personality "\fBmkisofs\fR" accepts the options listed with: Among them: -R (always on), -r, -J, -o, -M, -C, -path-list, -m, -exclude-list, -f, -print-size, -pad, -no-pad, -V, -v, -version, -graft-points, -z, -no-emul-boot, -b, -c, -boot-info-table, -boot-load-size, -input-charset, -G, --output-charset, pathspecs as with xorriso -add. +-output-charset, -U, pathspecs as with xorriso -add. A lot of options are not supported and lead to failure of the mkisofs emulation. Some are ignored, but better do not rely on this tolerance. .br @@ -3497,8 +3501,10 @@ Restore directory trees from a particular ISO session to disk Try to retrieve blocks from a damaged media .SS .B As superuser learn about available drives -Consider to give rw permissions to those users or groups +On Linux or FreeBSD consider to give rw-permissions to those users or groups which shall be able to use the drives with xorriso. +On Solaris use pfexec. Consider to restrict privileges of xorriso to +"base,sys_devices" and to give r-permission to user or group. .br $ xorriso -devices .br @@ -4013,7 +4019,7 @@ for libburnia-project.org .SH COPYRIGHT Copyright (c) 2007 - 2010 Thomas Schmitt .br -Permission is granted to distrubute this text freely. It shall only be +Permission is granted to distribute this text freely. It shall only be modified in sync with the technical properties of xorriso. If you make use of the license to derive modified versions of xorriso then you are entitled to modify this text under that same license. diff --git a/libisoburn/trunk/xorriso/xorriso.info b/libisoburn/trunk/xorriso/xorriso.info index 1e9914b2..6c4d262d 100644 --- a/libisoburn/trunk/xorriso/xorriso.info +++ b/libisoburn/trunk/xorriso/xorriso.info @@ -265,6 +265,8 @@ character device. E.g. -dev /dev/sg2 On FreeBSD the device files have names like -dev /dev/cd0 +On OpenSolaris: +-dev /dev/rdsk/c4t0d0s2 Get a list of accessible drives by command -devices It might be necessary to do this as *superuser* in order to see all @@ -2816,10 +2818,10 @@ programs trigger comparable actions. Among them: -R (always on), -r, -J, -o, -M, -C, -path-list, -m, -exclude-list, -f, -print-size, -pad, -no-pad, -V, -v, -version, -graft-points, -z, -no-emul-boot, -b, -c, -boot-info-table, - -boot-load-size, -input-charset, -G, -output-charset, pathspecs as - with xorriso -add. A lot of options are not supported and lead to - failure of the mkisofs emulation. Some are ignored, but better do - not rely on this tolerance. + -boot-load-size, -input-charset, -G, -output-charset, -U, + pathspecs as with xorriso -add. A lot of options are not + supported and lead to failure of the mkisofs emulation. Some are + ignored, but better do not rely on this tolerance. -graft-points is equivalent to -pathspecs on. Note that pathspecs without "=" are interpreted differently than with xorriso option -add. Directories get merged with the root directory of the ISO @@ -3117,8 +3119,10 @@ File: xorriso.info, Node: ExDevices, Next: ExCreate, Prev: Frontend, Up: Exa 10.1 As superuser learn about available drives ============================================== -Consider to give rw permissions to those users or groups which shall be -able to use the drives with xorriso. +On Linux or FreeBSD consider to give rw-permissions to those users or +groups which shall be able to use the drives with xorriso. On Solaris +use pfexec. Consider to restrict privileges of xorriso to +"base,sys_devices" and to give r-permission to user or group. $ xorriso -devices 0 -dev '/dev/sr0' rwrw-- : '_NEC ' 'DVD_RW ND-4570A' @@ -3614,7 +3618,7 @@ for libburnia-project.org ============== Copyright (c) 2007 - 2010 Thomas Schmitt -Permission is granted to distrubute this text freely. It shall only be +Permission is granted to distribute this text freely. It shall only be modified in sync with the technical properties of xorriso. If you make use of the license to derive modified versions of xorriso then you are entitled to modify this text under that same license. @@ -4059,51 +4063,51 @@ Node: Model3209 Node: Media6089 Node: Methods8519 Node: Drives11066 -Node: Extras14332 -Node: Processing17730 -Node: Dialog21226 -Node: Options22883 -Node: AqDrive24451 -Node: Loading27357 -Node: Insert39792 -Node: SetInsert48149 -Node: Manip56716 -Node: CmdFind64592 -Node: Filter73937 -Node: Writing78286 -Node: SetWrite84575 -Node: Bootable94859 -Node: Charset102607 -Node: Exception105361 -Node: DialogCtl109876 -Node: Inquiry112221 -Node: Navigate116361 -Node: Verify123715 -Node: Restore132135 -Node: Emulation138791 -Node: Scripting145660 -Node: Frontend151222 -Node: Examples152423 -Node: ExDevices153592 -Node: ExCreate154074 -Node: ExDialog155348 -Node: ExGrowing156610 -Node: ExModifying157412 -Node: ExBootable157913 -Node: ExCharset158460 -Node: ExPseudo159288 -Node: ExCdrecord160182 -Node: ExMkisofs160497 -Node: ExGrowisofs161500 -Node: ExException162624 -Node: ExTime163078 -Node: ExIncBackup163537 -Node: ExRestore167009 -Node: ExRecovery167978 -Node: Files168544 -Node: Seealso169582 -Node: Legal170106 -Node: CommandIdx171028 -Node: ConceptIdx184329 +Node: Extras14372 +Node: Processing17770 +Node: Dialog21266 +Node: Options22923 +Node: AqDrive24491 +Node: Loading27397 +Node: Insert39832 +Node: SetInsert48189 +Node: Manip56756 +Node: CmdFind64632 +Node: Filter73977 +Node: Writing78326 +Node: SetWrite84615 +Node: Bootable94899 +Node: Charset102647 +Node: Exception105401 +Node: DialogCtl109916 +Node: Inquiry112261 +Node: Navigate116401 +Node: Verify123755 +Node: Restore132175 +Node: Emulation138831 +Node: Scripting145704 +Node: Frontend151266 +Node: Examples152467 +Node: ExDevices153636 +Node: ExCreate154270 +Node: ExDialog155544 +Node: ExGrowing156806 +Node: ExModifying157608 +Node: ExBootable158109 +Node: ExCharset158656 +Node: ExPseudo159484 +Node: ExCdrecord160378 +Node: ExMkisofs160693 +Node: ExGrowisofs161696 +Node: ExException162820 +Node: ExTime163274 +Node: ExIncBackup163733 +Node: ExRestore167205 +Node: ExRecovery168174 +Node: Files168740 +Node: Seealso169778 +Node: Legal170302 +Node: CommandIdx171224 +Node: ConceptIdx184525  End Tag Table diff --git a/libisoburn/trunk/xorriso/xorriso.texi b/libisoburn/trunk/xorriso/xorriso.texi index 90937f0c..81d46515 100644 --- a/libisoburn/trunk/xorriso/xorriso.texi +++ b/libisoburn/trunk/xorriso/xorriso.texi @@ -19,7 +19,7 @@ @c The first line gets discarded. @c Line start "@c man " will become "", the remainder is put out unaltered. @c Lines "@*" will be converted to ".br" -@c @c man-ignore-lines N will discard N following lines. +@c "@c man-ignore-lines N" will discard N following lines. @c "@c man-ignore-lines begin" discards all following lines @c up to "@c man-ignore-lines end". @c Line blocks of "@menu" "@end menu" will be discarded. @@ -44,7 +44,7 @@ @c man .\" First parameter, NAME, should be all caps @c man .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection @c man .\" other parameters are allowed: see man(7), man(1) -@c man .TH XORRISO 1 "May 22, 2010" +@c man .TH XORRISO 1 "Jun 10, 2010" @c man .\" Please adjust this date whenever revising the manpage. @c man .\" @c man .\" Some roff macros, for reference: @@ -410,6 +410,10 @@ On FreeBSD the device files have names like @* -dev /dev/cd0 @* +On OpenSolaris: +@* + -dev /dev/rdsk/c4t0d0s2 +@* Get a list of accessible drives by command @* -devices @@ -3766,7 +3770,7 @@ Personality "@strong{mkisofs}" accepts the options listed with: Among them: -R (always on), -r, -J, -o, -M, -C, -path-list, -m, -exclude-list, -f, -print-size, -pad, -no-pad, -V, -v, -version, -graft-points, -z, -no-emul-boot, -b, -c, -boot-info-table, -boot-load-size, -input-charset, -G, --output-charset, pathspecs as with xorriso -add. +-output-charset, -U, pathspecs as with xorriso -add. A lot of options are not supported and lead to failure of the mkisofs emulation. Some are ignored, but better do not rely on this tolerance. @* @@ -4206,8 +4210,10 @@ Use text as name of this program and perform -help. @c man .B As superuser learn about available drives @node ExDevices, ExCreate, Frontend, Examples @section As superuser learn about available drives -Consider to give rw permissions to those users or groups +On Linux or FreeBSD consider to give rw-permissions to those users or groups which shall be able to use the drives with xorriso. +On Solaris use pfexec. Consider to restrict privileges of xorriso to +"base,sys_devices" and to give r-permission to user or group. @* @sp 1 $ xorriso -devices @@ -4886,7 +4892,7 @@ for libburnia-project.org @section Copyright Copyright (c) 2007 - 2010 Thomas Schmitt @* -Permission is granted to distrubute this text freely. It shall only be +Permission is granted to distribute this text freely. It shall only be modified in sync with the technical properties of xorriso. If you make use of the license to derive modified versions of xorriso then you are entitled to modify this text under that same license.