Mentioned Solaris and system dependent drive permission settings

libburn/trunk/README

@@ -145,6 +145,8 @@ The project components (list subject to growth, hopefully):
            also allows to grow ISO-9660 filesystem images on multi-session
            media as well as on overwriteable media via the same API.
            All media peculiarities are handled automatically.
+           It also contains the methods of command oriented application
+           xorriso and offers them via a C language API.
 
 - cdrskin  is a limited cdrecord compatibility wrapper for libburn.
            cdrecord is a powerful GPL'ed burn program included in Joerg
@@ -164,6 +166,8 @@ The project components (list subject to growth, hopefully):
            changing, incremental backups, activating boot images, and
            extracting of files from ISO images to disk. An own ISO 9660
            extension stores ACLs, xattr, and MD5 of file content.
+           All features of xorriso are also available via a C language API
+           of libisoburn.
            See xorriso/README for more.
 
 - "test"   is a collection of application gestures and examples given by the

libburn/trunk/cdrskin/README

@@ -104,17 +104,25 @@ The output of  cdrskin --devices  might look like
     0  dev='/dev/sr0'  rwrwr- :  '_NEC'  'DVD_RW ND-4570A'
     1  dev='/dev/sr1'  rwrw-- :  'HL-DT-ST'  'DVDRAM GSA-4082B'
 
-So full and insecure enabling of both for everybody would look like
-
-    chmod a+rw /dev/sr0 /dev/sr1
-
+On Linux, full and insecure enabling of both for everybody would look like
+    chmod a+rw /dev/sr0 /dev/hda
 This is equivalent to the traditional setup chmod a+x,u+s cdrecord.
 
+On FreeBSD, device permissions are to be set in /etc/devfs.rules.
+On Solaris, pfexec privileges may be restricted to "base,sys_devices".
+See below "System Dependend Drive Permission Examples".
+
 I strongly discourage to run cdrskin with setuid root or via sudo !
 It is not checked for the necessary degree of hacker safety.
+Better consider to grant the necessary permissions to group "floppy"
+and to add users to it.
+
+
+A behavioral conflict is known between any burn software and demons like hald
+which probe CD drives. This can spoil burn runs for CD-R or CD-RW.
+You may have to keep your hald away from the drive. See for example
+   http://www.freebsd.org/gnome/docs/halfaq.html
 
-Consider to put all authorized users into group "floppy", to chgrp the
-device file to that group and to disallow w-access to others.
 
 Helpful with Linux kernel 2.4 is a special SCSI feature:
 It is possible to address a scsi(-emulated) drive via associated device files
@@ -123,11 +131,6 @@ as listed device files. This addressing via e.g. /dev/sr0 or /dev/scd1 is
 compatible with generic read programs like dd and with write program growisofs.
 For finding /dev/sg1 from /dev/sr0, the program needs rw-access to both files.
 
-A behavioral conflict is known between any burn software and demons like hald
-which probe CD drives. This can spoil burn runs for CD-R or CD-RW.
-You may have to keep your hald away from the drive. See for example
-   http://www.freebsd.org/gnome/docs/halfaq.html
-
 
                                 Usage examples 
 
@@ -434,6 +437,77 @@ It will not read startup files, will abort on option  dev_translation= ,
 will not have a fifo buffer, and will not be able to put out help texts or
 debugging messages.
 
+------------------------------------------------------------------------------
+
+                  System Dependend Drive Permission Examples
+
+Accessing the optical drives requires privileges which usually are granted
+only to the superuser. Linux, FreeBSD and Solaris offer quite different
+approaches for avoiding the need for unrestricted privileges.
+
+--------------------- 
+On all three systems:
+--------------------- 
+Add the authorized user of CD drives to group "floppy" in /etc/group.
+If missing: create this group.
+Changes to /etc/group often only affect new login sessions. So log out and in
+before making the first tests.
+
+---------
+On Linux:
+---------
+Allow rw-access to the drives
+  chgrp floppy /dev/sr0 /dev/sr1
+  chmod g+rw   /dev/sr0 /dev/sr1
+It might be necessary to perform chgrp and chmod after each reboot or to
+edit distro dependent device configuration files for permanent settings.
+
+-----------
+On FreeBSD:
+-----------
+On FreeBSD:
+Edit /etc/devfs.rules and make sure to have these lines
+  [localrules=10]
+  add path 'acd*' mode 0664 group floppy
+  add path 'cd*' mode 0664 group floppy
+  add path 'pass*' mode 0664 group floppy
+  add path 'xpt*' mode 0664 group floppy
+  [localrules=5]
+  add path 'pass*' mode 0664 group floppy
+  add path 'cd*' mode 0664 group floppy
+  add path 'xpt*' mode 0664 group floppy
+  add path 'acd*' mode 0664 group floppy
+
+Edit /etc/rc.conf and add the following line if missing
+  devfs_system_ruleset="localrules"
+
+This gets into effect by reboot or by command
+  /etc/rc.d/devfs start
+
+-----------
+On Solaris:
+-----------
+Run cdrskin by
+  pfexec cdrskin ...arguments...
+
+The following settings will make pfexec keep original UID and EUID and prevent
+most superuser powers. Be aware that you still can manipulate all device files
+if you have the file permissions for that.
+Full root privileges for cdrskin can then be aquired only by command su.
+
+Edit /etc/security/exec_attr and add this line to the other "Media Backup"
+lines:
+  Media Backup:solaris:cmd:::/usr/local/bin/cdrskin:privs=basic,sys_devices
+Edit /etc/user_attr and add profile "Media Backup" to the user's line:
+  thomas::::profiles=Media Backup,Primary Administrator;roles=root
+See also man privileges, man exec_attr, man user_attr.
+
+Then allow the group r-access to the drives
+  pfexec chgrp floppy /dev/rdsk/c3t0d0s2 /dev/rdsk/c4t0d0s2
+  pfexec chmod g+r    /dev/rdsk/c3t0d0s2 /dev/rdsk/c4t0d0s2
+The last two commands have to be executed after each boot. I do not know
+the relevant device configuration files yet.
+
 
 ------------------------------------------------------------------------------
                       Project aspects and legal stuff

libburn/trunk/cdrskin/cdrskin.1

@@ -2,7 +2,7 @@
 .\" First parameter, NAME, should be all caps
 .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
 .\" other parameters are allowed: see man(7), man(1)
-.TH CDRSKIN 1 "Feb 29, 2010"
+.TH CDRSKIN 1 "Jun 10, 2010"
 .\" Please adjust this date whenever revising the manpage.
 .\"
 .\" Some roff macros, for reference:
@@ -271,19 +271,22 @@ the drive is somewhat higher but the overall system is much less at stake.
 Consider to restrict rw-access to a single group which bundles the users who
 are allowed to use the burner drive (like group "floppy").
 .br
+For drive permission examples on Linux, FreeBSD, and Solaris,
+see cdrskin/README.
+.br
 .PP
 If you only got one CD capable drive then you may leave out cdrskin option
 \fBdev=\fP. Else you should use this option to address the drive you want.
 .br
 cdrskin option dev= not only accepts the listed addresses but also
-traditional cdrecord SCSI addresses which on Linux consist of three
-numbers: Bus,Target,Lun. There is also a related address family "ATA" which
+traditional cdrecord SCSI addresses which consist of three numbers:
+Bus,Target,Lun. On Linux there is also a related address family "ATA" which
 accesses IDE drives not under control of Linux SCSI drivers:
 ATA:Bus,Target,Lun.
 .br
 See option -scanbus for getting a list of cdrecord style addresses.
 .br
-Further are accepted on Linux: links to libburn-suitable device files, 
+Further are accepted: links to libburn-suitable device files, 
 device files which have the same major and minor device number,
 and device files which have the same SCSI address parameters (e.g. /dev/sg0).
 .br