New option -drive_class for safety management of pseudo-drive access
This commit is contained in:
@ -2,7 +2,7 @@
|
||||
.\" First parameter, NAME, should be all caps
|
||||
.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
|
||||
.\" other parameters are allowed: see man(7), man(1)
|
||||
.TH XORRISO 1 "Dec 13, 2008"
|
||||
.TH XORRISO 1 "Dec 16, 2008"
|
||||
.\" Please adjust this date whenever revising the manpage.
|
||||
.\"
|
||||
.\" Some roff macros, for reference:
|
||||
@ -296,14 +296,19 @@ Consider to bundle the authorized users in a group like old "floppy".
|
||||
Filesystem objects of nearly any type can be addressed by prefix "stdio:" and
|
||||
their path in the filesystem. E.g.:
|
||||
.br
|
||||
-dev stdio:/tmp/pseudo_drive
|
||||
-dev stdio:/dev/sdc
|
||||
.br
|
||||
The default setting of -drive_class allows to address files outside the
|
||||
/dev tree without that prefix. E.g.:
|
||||
.br
|
||||
-dev /tmp/pseudo_drive
|
||||
.br
|
||||
If path leads to a regular file or to a block device then the emulated drive
|
||||
is random access readable and can be used for the method of growing if it
|
||||
already contains a valid ISO 9660 image. Any other file type is not readable
|
||||
via "stdio:" and can only be used as target for the method of modifying or
|
||||
blind growing.
|
||||
Non existing paths in existing directories are handled as empty regular files.
|
||||
Non-existing paths in existing directories are handled as empty regular files.
|
||||
.PP
|
||||
A very special kind of pseudo drive are open file descriptors. They are
|
||||
depicted by "stdio:/dev/fd/" and descriptor number (see man 2 open).
|
||||
@ -326,12 +331,18 @@ If stdout is used as drive, then -use_readline is permanently disabled.
|
||||
Use of backdoors will cause severe memory and/or tty corruption.
|
||||
.PP
|
||||
Be aware that especially the superuser can write into any accessible file or
|
||||
device by using its path with the "stdio:" prefix. Addresses without prefix
|
||||
"stdio:" will only work if they lead to a MMC drive.
|
||||
device by using its path with the "stdio:" prefix. By default any address
|
||||
in the /dev tree without prefix "stdio:" will work only if it leads to a MMC
|
||||
drive.
|
||||
.br
|
||||
One may use option
|
||||
.B -ban_stdio_write
|
||||
to surely prevent this risk and to allow only MMC drives.
|
||||
.br
|
||||
One may prepend "mmc:" to a path to surely disallow any automatic "stdio:".
|
||||
.br
|
||||
By option -drive_class one may ban certain paths or allow access without
|
||||
prefix "stdio:" to other paths.
|
||||
.SS
|
||||
.B Rock Ridge, POSIX, X/Open, and El Torito:
|
||||
.br
|
||||
@ -518,6 +529,41 @@ apply. See above paragraph "Libburn drives".
|
||||
An empty address string "" gives up the current output drive
|
||||
without aquiring a new one. No writing is possible without an output drive.
|
||||
.TP
|
||||
\fB\-drive_class\fR "harmless"|"banned"|"risky"|"clear_list" disk_pattern
|
||||
Add a drive path pattern to one of the safety lists or make those lists empty.
|
||||
There are three lists defined which get tested in the following sequence:
|
||||
.br
|
||||
If a drive address path matches the "harmless" list then the drive will be
|
||||
accepted. If it is not a MMC device then the prefix "stdio:" will be prepended
|
||||
automatically. This list is empty by default.
|
||||
.br
|
||||
Else if the path matches the "banned" list then the drive will not be
|
||||
accepted by xorriso but rather lead to a FAILURE event. This list is empty by
|
||||
default.
|
||||
.br
|
||||
Else if the path matches the "risky" list and if it is not a MMC device,
|
||||
then its address must have the prefix "stdio:" or it will be rejected.
|
||||
This list has by default one entry: "/dev".
|
||||
.br
|
||||
If a drive path matches no list then it is considered "harmless". By default
|
||||
these are all paths which do not begin with directory "/dev".
|
||||
.br
|
||||
A path matches a list if one of its parent paths or itself matches a list
|
||||
entry. An eventual address prefix "stdio:" or "mmc:" will be ignored when
|
||||
testing for matches.
|
||||
.br
|
||||
By pseudo-class "clear_list" and pseudo-patterns "banned", "risky", "harmless",
|
||||
or "all", the lists may be made empty.
|
||||
.br
|
||||
E.g.: -drive_class clear_list banned
|
||||
.br
|
||||
One will normally define the -drive_class lists in one of the xorriso
|
||||
Startup Files.
|
||||
.br
|
||||
Note: This is not a security feature but rather a bumper for the superuser to
|
||||
prevent inadverted mishaps. For reliably blocking access to a device file you
|
||||
have to deny its rw-permissions in the filesystem.
|
||||
.TP
|
||||
\fB\-grow_blindly\fR "off"|predicted_nwa
|
||||
If predicted_nwa is a non-negative number then perform blind growing rather
|
||||
than modifying if -indev and -outdev are set to different drives.
|
||||
@ -2735,11 +2781,22 @@ will be made terminal-safe by option -backslash_codes.
|
||||
.B Operate on storage facilities other than optical drives
|
||||
Full read-write operation is possible with regular files and block devices:
|
||||
.br
|
||||
\fB$\fR xorriso -dev stdio:/tmp/regular_file ...
|
||||
\fB$\fR xorriso -dev /tmp/regular_file ...
|
||||
.br
|
||||
Paths underneath /dev normally need prefix "stdio:"
|
||||
.br
|
||||
\fB$\fR xorriso -dev stdio:/dev/sdb ...
|
||||
.br
|
||||
If /dev/sdb is to be used frequently and /dev/sda is the system disk,
|
||||
then consider to place the following lines in a xorriso Startup File.
|
||||
They allow to use /dev/sdb without prefix and protect your disk from xorriso:
|
||||
.br
|
||||
-drive_class banned /dev/sda*
|
||||
-drive_class harmless /dev/sdb
|
||||
.br
|
||||
Other writeable file types are supported write-only:
|
||||
.br
|
||||
\fB$\fR xorriso -outdev stdio:/tmp/named_pipe ...
|
||||
\fB$\fR xorriso -outdev /tmp/named_pipe ...
|
||||
.br
|
||||
Among the write-only drives is standard output:
|
||||
.br
|
||||
|
||||
Reference in New Issue
Block a user