Mentioned Solaris and system dependent drive permission settings

2010-06-10 17:23:23 +00:00 · 2010-06-10 17:23:23 +00:00 · 6e0cd74a48
commit 6e0cd74a48
parent 158381e187
3 changed files with 96 additions and 15 deletions
--- a/libburn/trunk/README
+++ b/libburn/trunk/README
@ -145,6 +145,8 @@ The project components (list subject to growth, hopefully):
           also allows to grow ISO-9660 filesystem images on multi-session
           media as well as on overwriteable media via the same API.
           All media peculiarities are handled automatically.
           It also contains the methods of command oriented application
           xorriso and offers them via a C language API.
 - cdrskin  is a limited cdrecord compatibility wrapper for libburn.
           cdrecord is a powerful GPL'ed burn program included in Joerg
@ -164,6 +166,8 @@ The project components (list subject to growth, hopefully):
           changing, incremental backups, activating boot images, and
           extracting of files from ISO images to disk. An own ISO 9660
           extension stores ACLs, xattr, and MD5 of file content.
           All features of xorriso are also available via a C language API
           of libisoburn.
           See xorriso/README for more.
 - "test"   is a collection of application gestures and examples given by the
--- a/libburn/trunk/cdrskin/README
+++ b/libburn/trunk/cdrskin/README
@ -104,17 +104,25 @@ The output of  cdrskin --devices  might look like
    0  dev='/dev/sr0'  rwrwr- :  '_NEC'  'DVD_RW ND-4570A'
    1  dev='/dev/sr1'  rwrw-- :  'HL-DT-ST'  'DVDRAM GSA-4082B'
-So full and insecure enabling of both for everybody would look like
+On Linux, full and insecure enabling of both for everybody would look like
-
+    chmod a+rw /dev/sr0 /dev/hda
    chmod a+rw /dev/sr0 /dev/sr1
 This is equivalent to the traditional setup chmod a+x,u+s cdrecord.
 On FreeBSD, device permissions are to be set in /etc/devfs.rules.
 On Solaris, pfexec privileges may be restricted to "base,sys_devices".
 See below "System Dependend Drive Permission Examples".
 I strongly discourage to run cdrskin with setuid root or via sudo !
 It is not checked for the necessary degree of hacker safety.
 Better consider to grant the necessary permissions to group "floppy"
 and to add users to it.
 A behavioral conflict is known between any burn software and demons like hald
 which probe CD drives. This can spoil burn runs for CD-R or CD-RW.
 You may have to keep your hald away from the drive. See for example
   http://www.freebsd.org/gnome/docs/halfaq.html
 Consider to put all authorized users into group "floppy", to chgrp the
 device file to that group and to disallow w-access to others.
 Helpful with Linux kernel 2.4 is a special SCSI feature:
 It is possible to address a scsi(-emulated) drive via associated device files
@ -123,11 +131,6 @@ as listed device files. This addressing via e.g. /dev/sr0 or /dev/scd1 is
 compatible with generic read programs like dd and with write program growisofs.
 For finding /dev/sg1 from /dev/sr0, the program needs rw-access to both files.
 A behavioral conflict is known between any burn software and demons like hald
 which probe CD drives. This can spoil burn runs for CD-R or CD-RW.
 You may have to keep your hald away from the drive. See for example
   http://www.freebsd.org/gnome/docs/halfaq.html
                                Usage examples 
@ -434,6 +437,77 @@ It will not read startup files, will abort on option  dev_translation= ,
 will not have a fifo buffer, and will not be able to put out help texts or
 debugging messages.
 ------------------------------------------------------------------------------
                  System Dependend Drive Permission Examples
 Accessing the optical drives requires privileges which usually are granted
 only to the superuser. Linux, FreeBSD and Solaris offer quite different
 approaches for avoiding the need for unrestricted privileges.
 --------------------- 
 On all three systems:
 --------------------- 
 Add the authorized user of CD drives to group "floppy" in /etc/group.
 If missing: create this group.
 Changes to /etc/group often only affect new login sessions. So log out and in
 before making the first tests.
 ---------
 On Linux:
 ---------
 Allow rw-access to the drives
  chgrp floppy /dev/sr0 /dev/sr1
  chmod g+rw   /dev/sr0 /dev/sr1
 It might be necessary to perform chgrp and chmod after each reboot or to
 edit distro dependent device configuration files for permanent settings.
 -----------
 On FreeBSD:
 -----------
 On FreeBSD:
 Edit /etc/devfs.rules and make sure to have these lines
  [localrules=10]
  add path 'acd*' mode 0664 group floppy
  add path 'cd*' mode 0664 group floppy
  add path 'pass*' mode 0664 group floppy
  add path 'xpt*' mode 0664 group floppy
  [localrules=5]
  add path 'pass*' mode 0664 group floppy
  add path 'cd*' mode 0664 group floppy
  add path 'xpt*' mode 0664 group floppy
  add path 'acd*' mode 0664 group floppy
 Edit /etc/rc.conf and add the following line if missing
  devfs_system_ruleset="localrules"
 This gets into effect by reboot or by command
  /etc/rc.d/devfs start
 -----------
 On Solaris:
 -----------
 Run cdrskin by
  pfexec cdrskin ...arguments...
 The following settings will make pfexec keep original UID and EUID and prevent
 most superuser powers. Be aware that you still can manipulate all device files
 if you have the file permissions for that.
 Full root privileges for cdrskin can then be aquired only by command su.
 Edit /etc/security/exec_attr and add this line to the other "Media Backup"
 lines:
  Media Backup:solaris:cmd:::/usr/local/bin/cdrskin:privs=basic,sys_devices
 Edit /etc/user_attr and add profile "Media Backup" to the user's line:
  thomas::::profiles=Media Backup,Primary Administrator;roles=root
 See also man privileges, man exec_attr, man user_attr.
 Then allow the group r-access to the drives
  pfexec chgrp floppy /dev/rdsk/c3t0d0s2 /dev/rdsk/c4t0d0s2
  pfexec chmod g+r    /dev/rdsk/c3t0d0s2 /dev/rdsk/c4t0d0s2
 The last two commands have to be executed after each boot. I do not know
 the relevant device configuration files yet.
 ------------------------------------------------------------------------------
                      Project aspects and legal stuff
--- a/libburn/trunk/cdrskin/cdrskin.1
+++ b/libburn/trunk/cdrskin/cdrskin.1
@ -2,7 +2,7 @@
 .\" First parameter, NAME, should be all caps
 .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
 .\" other parameters are allowed: see man(7), man(1)
-.TH CDRSKIN 1 "Feb 29, 2010"
+.TH CDRSKIN 1 "Jun 10, 2010"
 .\" Please adjust this date whenever revising the manpage.
 .\"
 .\" Some roff macros, for reference:
@ -271,19 +271,22 @@ the drive is somewhat higher but the overall system is much less at stake.
 Consider to restrict rw-access to a single group which bundles the users who
 are allowed to use the burner drive (like group "floppy").
 .br
 For drive permission examples on Linux, FreeBSD, and Solaris,
 see cdrskin/README.
 .br
 .PP
 If you only got one CD capable drive then you may leave out cdrskin option
 \fBdev=\fP. Else you should use this option to address the drive you want.
 .br
 cdrskin option dev= not only accepts the listed addresses but also
-traditional cdrecord SCSI addresses which on Linux consist of three
+traditional cdrecord SCSI addresses which consist of three numbers:
-numbers: Bus,Target,Lun. There is also a related address family "ATA" which
+Bus,Target,Lun. On Linux there is also a related address family "ATA" which
 accesses IDE drives not under control of Linux SCSI drivers:
 ATA:Bus,Target,Lun.
 .br
 See option -scanbus for getting a list of cdrecord style addresses.
 .br
-Further are accepted on Linux: links to libburn-suitable device files, 
+Further are accepted: links to libburn-suitable device files, 
 device files which have the same major and minor device number,
 and device files which have the same SCSI address parameters (e.g. /dev/sg0).
 .br