Mentioned Solaris and system dependent drive permission settings

This commit is contained in:
Thomas Schmitt 2010-06-10 18:15:56 +00:00
parent 8a4698bd58
commit fd87b1b070
4 changed files with 166 additions and 68 deletions

View File

@ -41,8 +41,8 @@ components:
plus on FreeBSD: libiconv, libcam, IDE and SATA drives need atapicam plus on FreeBSD: libiconv, libcam, IDE and SATA drives need atapicam
Optional at compile time are: Optional at compile time are:
libreadline and the readline-dev headers make dialog mode more convenient. libreadline and the readline-dev headers make dialog mode more convenient.
on GNU/Linux: libacl and libacl-devel allow getting and setting ACLs.
zlib and zlib-devel allow zisofs compression. zlib and zlib-devel allow zisofs compression.
on GNU/Linux: libacl and libacl-devel allow getting and setting ACLs.
If they were present at compile time, then the optional libraries have to If they were present at compile time, then the optional libraries have to
be present at runtime, too. be present at runtime, too.
@ -134,24 +134,29 @@ A list of rw-accessible drives can be obtained by
xorriso -devices xorriso -devices
CD devices which offer no rw-permission are invisible to normal users. CD devices which offer not enough permission are invisible to normal users.
The superuser should be able to see any usable drive and then set the The superuser should be able to see any usable drive and then set the
permissions as needed. permissions as needed.
On Linux and FreeBSD, rw-permissions are needed.
On Solaris, the privilege "sys_devices" and r-permission are needed.
The output of xorriso -devices might look like The output of xorriso -devices might look like
0 -dev '/dev/sr0' rwrw-- : 'TSSTcorp' 'CDDVDW SH-S203B' 0 -dev '/dev/sr0' rwrw-- : 'TSSTcorp' 'CDDVDW SH-S203B'
1 -dev '/dev/hda' rwrw-- : 'HL-DT-ST' 'DVD-ROM GDR8162B' 1 -dev '/dev/hda' rwrw-- : 'HL-DT-ST' 'DVD-ROM GDR8162B'
Full and insecure enabling of both for everybody would look like On Linux, full and insecure enabling of both for everybody would look like
chmod a+rw /dev/sr0 /dev/hda chmod a+rw /dev/sr0 /dev/hda
This is equivalent to the traditional setup chmod a+x,u+s cdrecord. This is equivalent to the traditional setup chmod a+x,u+s cdrecord.
On FreeBSD, device permissions are to be set in /etc/devfs.rules.
On Solaris, pfexec privileges may be restricted to "base,sys_devices".
See below "System Dependend Drive Permission Examples".
I strongly discourage to run xorriso with setuid root or via sudo ! I strongly discourage to run xorriso with setuid root or via sudo !
It is not checked for the necessary degree of hacker safety. It is not checked for the necessary degree of hacker safety.
Better consider to grant the necessary permissions to group "floppy"
Consider to put all authorized users into group "floppy", to chgrp the and to add users to it.
device file to that group and to disallow w-access to others.
A possible source of problems are hald or other automounters. A possible source of problems are hald or other automounters.
@ -293,6 +298,83 @@ setup unless you have reason to enforce a newer bug fix level.
GNU xorriso has less runtime dependencies and can be moved more freely. GNU xorriso has less runtime dependencies and can be moved more freely.
System Dependend Drive Permission Examples
Accessing the optical drives requires privileges which usually are granted
only to the superuser. GNU/Linux, FreeBSD and Solaris offer quite different
approaches for avoiding the need for unrestricted privileges.
First check whether some friendly system setting already allows you to
access the drives as normal user:
xorriso -devices
Those drives of which you see address and type strings are already usable.
If there remain drives invisible which the superuser can see by the same
command, then the following examples might help:
---------------------
On all three systems:
---------------------
Add the authorized users of CD drives to group "floppy" in /etc/group.
If missing: create this group.
Changes to /etc/group often only affect new login sessions. So log out and in
before making the first tests.
-------------
On GNU/Linux:
-------------
Allow rw-access to the drives
chgrp floppy /dev/sr0 /dev/sr1
chmod g+rw /dev/sr0 /dev/sr1
It might be necessary to perform chgrp and chmod after each reboot or to
edit distro dependent device configuration files for permanent settings.
-----------
On FreeBSD:
-----------
Edit /etc/devfs.rules and make sure to have these lines
[localrules=10]
add path 'acd*' mode 0664 group floppy
add path 'cd*' mode 0664 group floppy
add path 'pass*' mode 0664 group floppy
add path 'xpt*' mode 0664 group floppy
[localrules=5]
add path 'pass*' mode 0664 group floppy
add path 'cd*' mode 0664 group floppy
add path 'xpt*' mode 0664 group floppy
add path 'acd*' mode 0664 group floppy
Edit /etc/rc.conf and add the following line if missing
devfs_system_ruleset="localrules"
This gets into effect by reboot or by command
/etc/rc.d/devfs start
-----------
On Solaris:
-----------
Run xorriso by
pfexec xorriso ...arguments...
The following settings will make pfexec keep original UID and EUID and prevent
most superuser powers. Be aware that you still can manipulate all device files
if you have the file permissions for that.
Full root privileges for xorriso can then be aquired only by command su.
Edit /etc/security/exec_attr and add this line to the other "Media Backup"
lines:
Media Backup:solaris:cmd:::/usr/local/bin/xorriso:privs=basic,sys_devices
Edit /etc/user_attr and add profile "Media Backup" to the user's line:
thomas::::profiles=Media Backup,Primary Administrator;roles=root
See also man privileges, man exec_attr, man user_attr.
Then allow the group r-access to the drives
pfexec chgrp floppy /dev/rdsk/c3t0d0s2 /dev/rdsk/c4t0d0s2
pfexec chmod g+r /dev/rdsk/c3t0d0s2 /dev/rdsk/c4t0d0s2
The last two commands have to be executed after each boot. I do not know
the relevant device configuration files yet.
------------------------------------------------------------------------------ ------------------------------------------------------------------------------
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify

View File

@ -9,7 +9,7 @@
.\" First parameter, NAME, should be all caps .\" First parameter, NAME, should be all caps
.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
.\" other parameters are allowed: see man(7), man(1) .\" other parameters are allowed: see man(7), man(1)
.TH XORRISO 1 "May 22, 2010" .TH XORRISO 1 "Jun 10, 2010"
.\" Please adjust this date whenever revising the manpage. .\" Please adjust this date whenever revising the manpage.
.\" .\"
.\" Some roff macros, for reference: .\" Some roff macros, for reference:
@ -291,6 +291,10 @@ On FreeBSD the device files have names like
.br .br
-dev /dev/cd0 -dev /dev/cd0
.br .br
On OpenSolaris:
.br
-dev /dev/rdsk/c4t0d0s2
.br
Get a list of accessible drives by command Get a list of accessible drives by command
.br .br
-devices -devices
@ -3145,7 +3149,7 @@ Personality "\fBmkisofs\fR" accepts the options listed with:
Among them: -R (always on), -r, -J, -o, -M, -C, -path-list, -m, -exclude-list, Among them: -R (always on), -r, -J, -o, -M, -C, -path-list, -m, -exclude-list,
-f, -print-size, -pad, -no-pad, -V, -v, -version, -graft-points, -z, -f, -print-size, -pad, -no-pad, -V, -v, -version, -graft-points, -z,
-no-emul-boot, -b, -c, -boot-info-table, -boot-load-size, -input-charset, -G, -no-emul-boot, -b, -c, -boot-info-table, -boot-load-size, -input-charset, -G,
-output-charset, pathspecs as with xorriso -add. -output-charset, -U, pathspecs as with xorriso -add.
A lot of options are not supported and lead to failure of the mkisofs A lot of options are not supported and lead to failure of the mkisofs
emulation. Some are ignored, but better do not rely on this tolerance. emulation. Some are ignored, but better do not rely on this tolerance.
.br .br
@ -3497,8 +3501,10 @@ Restore directory trees from a particular ISO session to disk
Try to retrieve blocks from a damaged media Try to retrieve blocks from a damaged media
.SS .SS
.B As superuser learn about available drives .B As superuser learn about available drives
Consider to give rw permissions to those users or groups On Linux or FreeBSD consider to give rw-permissions to those users or groups
which shall be able to use the drives with xorriso. which shall be able to use the drives with xorriso.
On Solaris use pfexec. Consider to restrict privileges of xorriso to
"base,sys_devices" and to give r-permission to user or group.
.br .br
$ xorriso -devices $ xorriso -devices
.br .br
@ -4013,7 +4019,7 @@ for libburnia-project.org
.SH COPYRIGHT .SH COPYRIGHT
Copyright (c) 2007 - 2010 Thomas Schmitt Copyright (c) 2007 - 2010 Thomas Schmitt
.br .br
Permission is granted to distrubute this text freely. It shall only be Permission is granted to distribute this text freely. It shall only be
modified in sync with the technical properties of xorriso. If you make use modified in sync with the technical properties of xorriso. If you make use
of the license to derive modified versions of xorriso then you are entitled of the license to derive modified versions of xorriso then you are entitled
to modify this text under that same license. to modify this text under that same license.

View File

@ -265,6 +265,8 @@ character device. E.g.
-dev /dev/sg2 -dev /dev/sg2
On FreeBSD the device files have names like On FreeBSD the device files have names like
-dev /dev/cd0 -dev /dev/cd0
On OpenSolaris:
-dev /dev/rdsk/c4t0d0s2
Get a list of accessible drives by command Get a list of accessible drives by command
-devices -devices
It might be necessary to do this as *superuser* in order to see all It might be necessary to do this as *superuser* in order to see all
@ -2816,10 +2818,10 @@ programs trigger comparable actions.
Among them: -R (always on), -r, -J, -o, -M, -C, -path-list, -m, Among them: -R (always on), -r, -J, -o, -M, -C, -path-list, -m,
-exclude-list, -f, -print-size, -pad, -no-pad, -V, -v, -version, -exclude-list, -f, -print-size, -pad, -no-pad, -V, -v, -version,
-graft-points, -z, -no-emul-boot, -b, -c, -boot-info-table, -graft-points, -z, -no-emul-boot, -b, -c, -boot-info-table,
-boot-load-size, -input-charset, -G, -output-charset, pathspecs as -boot-load-size, -input-charset, -G, -output-charset, -U,
with xorriso -add. A lot of options are not supported and lead to pathspecs as with xorriso -add. A lot of options are not
failure of the mkisofs emulation. Some are ignored, but better do supported and lead to failure of the mkisofs emulation. Some are
not rely on this tolerance. ignored, but better do not rely on this tolerance.
-graft-points is equivalent to -pathspecs on. Note that pathspecs -graft-points is equivalent to -pathspecs on. Note that pathspecs
without "=" are interpreted differently than with xorriso option without "=" are interpreted differently than with xorriso option
-add. Directories get merged with the root directory of the ISO -add. Directories get merged with the root directory of the ISO
@ -3117,8 +3119,10 @@ File: xorriso.info, Node: ExDevices, Next: ExCreate, Prev: Frontend, Up: Exa
10.1 As superuser learn about available drives 10.1 As superuser learn about available drives
============================================== ==============================================
Consider to give rw permissions to those users or groups which shall be On Linux or FreeBSD consider to give rw-permissions to those users or
able to use the drives with xorriso. groups which shall be able to use the drives with xorriso. On Solaris
use pfexec. Consider to restrict privileges of xorriso to
"base,sys_devices" and to give r-permission to user or group.
$ xorriso -devices $ xorriso -devices
0 -dev '/dev/sr0' rwrw-- : '_NEC ' 'DVD_RW ND-4570A' 0 -dev '/dev/sr0' rwrw-- : '_NEC ' 'DVD_RW ND-4570A'
@ -3614,7 +3618,7 @@ for libburnia-project.org
============== ==============
Copyright (c) 2007 - 2010 Thomas Schmitt Copyright (c) 2007 - 2010 Thomas Schmitt
Permission is granted to distrubute this text freely. It shall only be Permission is granted to distribute this text freely. It shall only be
modified in sync with the technical properties of xorriso. If you make modified in sync with the technical properties of xorriso. If you make
use of the license to derive modified versions of xorriso then you are use of the license to derive modified versions of xorriso then you are
entitled to modify this text under that same license. entitled to modify this text under that same license.
@ -4059,51 +4063,51 @@ Node: Model3209
Node: Media6089 Node: Media6089
Node: Methods8519 Node: Methods8519
Node: Drives11066 Node: Drives11066
Node: Extras14332 Node: Extras14372
Node: Processing17730 Node: Processing17770
Node: Dialog21226 Node: Dialog21266
Node: Options22883 Node: Options22923
Node: AqDrive24451 Node: AqDrive24491
Node: Loading27357 Node: Loading27397
Node: Insert39792 Node: Insert39832
Node: SetInsert48149 Node: SetInsert48189
Node: Manip56716 Node: Manip56756
Node: CmdFind64592 Node: CmdFind64632
Node: Filter73937 Node: Filter73977
Node: Writing78286 Node: Writing78326
Node: SetWrite84575 Node: SetWrite84615
Node: Bootable94859 Node: Bootable94899
Node: Charset102607 Node: Charset102647
Node: Exception105361 Node: Exception105401
Node: DialogCtl109876 Node: DialogCtl109916
Node: Inquiry112221 Node: Inquiry112261
Node: Navigate116361 Node: Navigate116401
Node: Verify123715 Node: Verify123755
Node: Restore132135 Node: Restore132175
Node: Emulation138791 Node: Emulation138831
Node: Scripting145660 Node: Scripting145704
Node: Frontend151222 Node: Frontend151266
Node: Examples152423 Node: Examples152467
Node: ExDevices153592 Node: ExDevices153636
Node: ExCreate154074 Node: ExCreate154270
Node: ExDialog155348 Node: ExDialog155544
Node: ExGrowing156610 Node: ExGrowing156806
Node: ExModifying157412 Node: ExModifying157608
Node: ExBootable157913 Node: ExBootable158109
Node: ExCharset158460 Node: ExCharset158656
Node: ExPseudo159288 Node: ExPseudo159484
Node: ExCdrecord160182 Node: ExCdrecord160378
Node: ExMkisofs160497 Node: ExMkisofs160693
Node: ExGrowisofs161500 Node: ExGrowisofs161696
Node: ExException162624 Node: ExException162820
Node: ExTime163078 Node: ExTime163274
Node: ExIncBackup163537 Node: ExIncBackup163733
Node: ExRestore167009 Node: ExRestore167205
Node: ExRecovery167978 Node: ExRecovery168174
Node: Files168544 Node: Files168740
Node: Seealso169582 Node: Seealso169778
Node: Legal170106 Node: Legal170302
Node: CommandIdx171028 Node: CommandIdx171224
Node: ConceptIdx184329 Node: ConceptIdx184525
 
End Tag Table End Tag Table

View File

@ -19,7 +19,7 @@
@c The first line gets discarded. @c The first line gets discarded.
@c Line start "@c man " will become "", the remainder is put out unaltered. @c Line start "@c man " will become "", the remainder is put out unaltered.
@c Lines "@*" will be converted to ".br" @c Lines "@*" will be converted to ".br"
@c @c man-ignore-lines N will discard N following lines. @c "@c man-ignore-lines N" will discard N following lines.
@c "@c man-ignore-lines begin" discards all following lines @c "@c man-ignore-lines begin" discards all following lines
@c up to "@c man-ignore-lines end". @c up to "@c man-ignore-lines end".
@c Line blocks of "@menu" "@end menu" will be discarded. @c Line blocks of "@menu" "@end menu" will be discarded.
@ -44,7 +44,7 @@
@c man .\" First parameter, NAME, should be all caps @c man .\" First parameter, NAME, should be all caps
@c man .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection @c man .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
@c man .\" other parameters are allowed: see man(7), man(1) @c man .\" other parameters are allowed: see man(7), man(1)
@c man .TH XORRISO 1 "May 22, 2010" @c man .TH XORRISO 1 "Jun 10, 2010"
@c man .\" Please adjust this date whenever revising the manpage. @c man .\" Please adjust this date whenever revising the manpage.
@c man .\" @c man .\"
@c man .\" Some roff macros, for reference: @c man .\" Some roff macros, for reference:
@ -410,6 +410,10 @@ On FreeBSD the device files have names like
@* @*
-dev /dev/cd0 -dev /dev/cd0
@* @*
On OpenSolaris:
@*
-dev /dev/rdsk/c4t0d0s2
@*
Get a list of accessible drives by command Get a list of accessible drives by command
@* @*
-devices -devices
@ -3766,7 +3770,7 @@ Personality "@strong{mkisofs}" accepts the options listed with:
Among them: -R (always on), -r, -J, -o, -M, -C, -path-list, -m, -exclude-list, Among them: -R (always on), -r, -J, -o, -M, -C, -path-list, -m, -exclude-list,
-f, -print-size, -pad, -no-pad, -V, -v, -version, -graft-points, -z, -f, -print-size, -pad, -no-pad, -V, -v, -version, -graft-points, -z,
-no-emul-boot, -b, -c, -boot-info-table, -boot-load-size, -input-charset, -G, -no-emul-boot, -b, -c, -boot-info-table, -boot-load-size, -input-charset, -G,
-output-charset, pathspecs as with xorriso -add. -output-charset, -U, pathspecs as with xorriso -add.
A lot of options are not supported and lead to failure of the mkisofs A lot of options are not supported and lead to failure of the mkisofs
emulation. Some are ignored, but better do not rely on this tolerance. emulation. Some are ignored, but better do not rely on this tolerance.
@* @*
@ -4206,8 +4210,10 @@ Use text as name of this program and perform -help.
@c man .B As superuser learn about available drives @c man .B As superuser learn about available drives
@node ExDevices, ExCreate, Frontend, Examples @node ExDevices, ExCreate, Frontend, Examples
@section As superuser learn about available drives @section As superuser learn about available drives
Consider to give rw permissions to those users or groups On Linux or FreeBSD consider to give rw-permissions to those users or groups
which shall be able to use the drives with xorriso. which shall be able to use the drives with xorriso.
On Solaris use pfexec. Consider to restrict privileges of xorriso to
"base,sys_devices" and to give r-permission to user or group.
@* @*
@sp 1 @sp 1
$ xorriso -devices $ xorriso -devices
@ -4886,7 +4892,7 @@ for libburnia-project.org
@section Copyright @section Copyright
Copyright (c) 2007 - 2010 Thomas Schmitt Copyright (c) 2007 - 2010 Thomas Schmitt
@* @*
Permission is granted to distrubute this text freely. It shall only be Permission is granted to distribute this text freely. It shall only be
modified in sync with the technical properties of xorriso. If you make use modified in sync with the technical properties of xorriso. If you make use
of the license to derive modified versions of xorriso then you are entitled of the license to derive modified versions of xorriso then you are entitled
to modify this text under that same license. to modify this text under that same license.