libcdio-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Libcdio-devel] Re: libcdio-0.83git on Solaris

From: Thomas Schmitt
Subject: [Libcdio-devel] Re: libcdio-0.83git on Solaris
Date: Thu, 10 Jun 2010 15:34:38 +0200 
Hi,

Seth Goldberg pointed me to a solution for the
problem of undesired superuser powers on Solaris.
(One needs one of the superuser privileges to run
 SCSI commands.)

It is not perfect yet, because:
- Solaris command pfexec is still needed.
  It only loses its full superuser power when it
  starts /usr/local/bin/xorriso .
- Each program needs its own entries in the
  system configuration files.
- The effects of chmod do not persist over
  reboot. But device files need r-permission for
  the user or one of his groups.

Does anybody know where the permanent permissions
for device files are set in Solaris ?
(In FreeBSD it is in /etc/devfs.rules)


As an example, what an application would have
to do, this is what i currently describe in
xorriso's README file:
------------------------------------------------
On Solaris: 
Run xorriso by
  pfexec xorriso ...arguments...

The following reciepe will make pfexec keep original UID and EUID and prevent
most superuser powers. Be aware that you still can manipulate all device files
if you have the file permissions for that.
Full root privileges for xorriso can then be aquired only by command su.

Edit /etc/security/exec_attr and add this line to the other "Media Backup"
lines:
  Media Backup:solaris:cmd:::/usr/local/bin/xorriso:privs=basic,sys_devices
Edit /etc/user_attr and add profile "Media Backup" to the user's line:
  thomas::::profiles=Media Backup,Primary Administrator;roles=root
See also man privileges, man exec_attr, man user_attr.

Add the user to group "floppy" in /etc/group. Eventually create this group.
Changes to /etc/group affect only new login sessions, as it seems.
Then allow the group r-access to the drives
  pfexec chgrp floppy /dev/rdsk/c3t0d0s2 /dev/rdsk/c4t0d0s2
  pfexec chmod g+r    /dev/rdsk/c3t0d0s2 /dev/rdsk/c4t0d0s2
The last two commands have to be executed after each boot. I do not know
the relevant device configuration files yet.
  
------------------------------------------------


Have a nice day :)

Thomas
reply via email to
[Prev in Thread] Current Thread [Next in Thread]