|
|
|
@ -41,8 +41,8 @@ components:
|
|
|
|
|
plus on FreeBSD: libiconv, libcam, IDE and SATA drives need atapicam
|
|
|
|
|
Optional at compile time are:
|
|
|
|
|
libreadline and the readline-dev headers make dialog mode more convenient.
|
|
|
|
|
on GNU/Linux: libacl and libacl-devel allow getting and setting ACLs.
|
|
|
|
|
zlib and zlib-devel allow zisofs compression.
|
|
|
|
|
on GNU/Linux: libacl and libacl-devel allow getting and setting ACLs.
|
|
|
|
|
If they were present at compile time, then the optional libraries have to
|
|
|
|
|
be present at runtime, too.
|
|
|
|
|
|
|
|
|
@ -134,24 +134,29 @@ A list of rw-accessible drives can be obtained by
|
|
|
|
|
|
|
|
|
|
xorriso -devices
|
|
|
|
|
|
|
|
|
|
CD devices which offer no rw-permission are invisible to normal users.
|
|
|
|
|
CD devices which offer not enough permission are invisible to normal users.
|
|
|
|
|
The superuser should be able to see any usable drive and then set the
|
|
|
|
|
permissions as needed.
|
|
|
|
|
On Linux and FreeBSD, rw-permissions are needed.
|
|
|
|
|
On Solaris, the privilege "sys_devices" and r-permission are needed.
|
|
|
|
|
|
|
|
|
|
The output of xorriso -devices might look like
|
|
|
|
|
|
|
|
|
|
0 -dev '/dev/sr0' rwrw-- : 'TSSTcorp' 'CDDVDW SH-S203B'
|
|
|
|
|
1 -dev '/dev/hda' rwrw-- : 'HL-DT-ST' 'DVD-ROM GDR8162B'
|
|
|
|
|
|
|
|
|
|
Full and insecure enabling of both for everybody would look like
|
|
|
|
|
On Linux, full and insecure enabling of both for everybody would look like
|
|
|
|
|
chmod a+rw /dev/sr0 /dev/hda
|
|
|
|
|
This is equivalent to the traditional setup chmod a+x,u+s cdrecord.
|
|
|
|
|
|
|
|
|
|
On FreeBSD, device permissions are to be set in /etc/devfs.rules.
|
|
|
|
|
On Solaris, pfexec privileges may be restricted to "base,sys_devices".
|
|
|
|
|
See below "System Dependend Drive Permission Examples".
|
|
|
|
|
|
|
|
|
|
I strongly discourage to run xorriso with setuid root or via sudo !
|
|
|
|
|
It is not checked for the necessary degree of hacker safety.
|
|
|
|
|
|
|
|
|
|
Consider to put all authorized users into group "floppy", to chgrp the
|
|
|
|
|
device file to that group and to disallow w-access to others.
|
|
|
|
|
Better consider to grant the necessary permissions to group "floppy"
|
|
|
|
|
and to add users to it.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A possible source of problems are hald or other automounters.
|
|
|
|
@ -293,6 +298,83 @@ setup unless you have reason to enforce a newer bug fix level.
|
|
|
|
|
GNU xorriso has less runtime dependencies and can be moved more freely.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
System Dependend Drive Permission Examples
|
|
|
|
|
|
|
|
|
|
Accessing the optical drives requires privileges which usually are granted
|
|
|
|
|
only to the superuser. GNU/Linux, FreeBSD and Solaris offer quite different
|
|
|
|
|
approaches for avoiding the need for unrestricted privileges.
|
|
|
|
|
|
|
|
|
|
First check whether some friendly system setting already allows you to
|
|
|
|
|
access the drives as normal user:
|
|
|
|
|
xorriso -devices
|
|
|
|
|
Those drives of which you see address and type strings are already usable.
|
|
|
|
|
|
|
|
|
|
If there remain drives invisible which the superuser can see by the same
|
|
|
|
|
command, then the following examples might help:
|
|
|
|
|
|
|
|
|
|
---------------------
|
|
|
|
|
On all three systems:
|
|
|
|
|
---------------------
|
|
|
|
|
Add the authorized users of CD drives to group "floppy" in /etc/group.
|
|
|
|
|
If missing: create this group.
|
|
|
|
|
Changes to /etc/group often only affect new login sessions. So log out and in
|
|
|
|
|
before making the first tests.
|
|
|
|
|
|
|
|
|
|
-------------
|
|
|
|
|
On GNU/Linux:
|
|
|
|
|
-------------
|
|
|
|
|
Allow rw-access to the drives
|
|
|
|
|
chgrp floppy /dev/sr0 /dev/sr1
|
|
|
|
|
chmod g+rw /dev/sr0 /dev/sr1
|
|
|
|
|
It might be necessary to perform chgrp and chmod after each reboot or to
|
|
|
|
|
edit distro dependent device configuration files for permanent settings.
|
|
|
|
|
|
|
|
|
|
-----------
|
|
|
|
|
On FreeBSD:
|
|
|
|
|
-----------
|
|
|
|
|
Edit /etc/devfs.rules and make sure to have these lines
|
|
|
|
|
[localrules=10]
|
|
|
|
|
add path 'acd*' mode 0664 group floppy
|
|
|
|
|
add path 'cd*' mode 0664 group floppy
|
|
|
|
|
add path 'pass*' mode 0664 group floppy
|
|
|
|
|
add path 'xpt*' mode 0664 group floppy
|
|
|
|
|
[localrules=5]
|
|
|
|
|
add path 'pass*' mode 0664 group floppy
|
|
|
|
|
add path 'cd*' mode 0664 group floppy
|
|
|
|
|
add path 'xpt*' mode 0664 group floppy
|
|
|
|
|
add path 'acd*' mode 0664 group floppy
|
|
|
|
|
|
|
|
|
|
Edit /etc/rc.conf and add the following line if missing
|
|
|
|
|
devfs_system_ruleset="localrules"
|
|
|
|
|
|
|
|
|
|
This gets into effect by reboot or by command
|
|
|
|
|
/etc/rc.d/devfs start
|
|
|
|
|
|
|
|
|
|
-----------
|
|
|
|
|
On Solaris:
|
|
|
|
|
-----------
|
|
|
|
|
Run xorriso by
|
|
|
|
|
pfexec xorriso ...arguments...
|
|
|
|
|
|
|
|
|
|
The following settings will make pfexec keep original UID and EUID and prevent
|
|
|
|
|
most superuser powers. Be aware that you still can manipulate all device files
|
|
|
|
|
if you have the file permissions for that.
|
|
|
|
|
Full root privileges for xorriso can then be aquired only by command su.
|
|
|
|
|
|
|
|
|
|
Edit /etc/security/exec_attr and add this line to the other "Media Backup"
|
|
|
|
|
lines:
|
|
|
|
|
Media Backup:solaris:cmd:::/usr/local/bin/xorriso:privs=basic,sys_devices
|
|
|
|
|
Edit /etc/user_attr and add profile "Media Backup" to the user's line:
|
|
|
|
|
thomas::::profiles=Media Backup,Primary Administrator;roles=root
|
|
|
|
|
See also man privileges, man exec_attr, man user_attr.
|
|
|
|
|
|
|
|
|
|
Then allow the group r-access to the drives
|
|
|
|
|
pfexec chgrp floppy /dev/rdsk/c3t0d0s2 /dev/rdsk/c4t0d0s2
|
|
|
|
|
pfexec chmod g+r /dev/rdsk/c3t0d0s2 /dev/rdsk/c4t0d0s2
|
|
|
|
|
The last two commands have to be executed after each boot. I do not know
|
|
|
|
|
the relevant device configuration files yet.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
------------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
This program is free software; you can redistribute it and/or modify
|
|
|
|
|