[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Libcdio-devel] Re: libcdio-0.83git on Solaris
From: |
Thomas Schmitt |
Subject: |
[Libcdio-devel] Re: libcdio-0.83git on Solaris |
Date: |
Thu, 10 Jun 2010 15:34:38 +0200 |
Hi,
Seth Goldberg pointed me to a solution for the
problem of undesired superuser powers on Solaris.
(One needs one of the superuser privileges to run
SCSI commands.)
It is not perfect yet, because:
- Solaris command pfexec is still needed.
It only loses its full superuser power when it
starts /usr/local/bin/xorriso .
- Each program needs its own entries in the
system configuration files.
- The effects of chmod do not persist over
reboot. But device files need r-permission for
the user or one of his groups.
Does anybody know where the permanent permissions
for device files are set in Solaris ?
(In FreeBSD it is in /etc/devfs.rules)
As an example, what an application would have
to do, this is what i currently describe in
xorriso's README file:
------------------------------------------------
On Solaris:
Run xorriso by
pfexec xorriso ...arguments...
The following reciepe will make pfexec keep original UID and EUID and prevent
most superuser powers. Be aware that you still can manipulate all device files
if you have the file permissions for that.
Full root privileges for xorriso can then be aquired only by command su.
Edit /etc/security/exec_attr and add this line to the other "Media Backup"
lines:
Media Backup:solaris:cmd:::/usr/local/bin/xorriso:privs=basic,sys_devices
Edit /etc/user_attr and add profile "Media Backup" to the user's line:
thomas::::profiles=Media Backup,Primary Administrator;roles=root
See also man privileges, man exec_attr, man user_attr.
Add the user to group "floppy" in /etc/group. Eventually create this group.
Changes to /etc/group affect only new login sessions, as it seems.
Then allow the group r-access to the drives
pfexec chgrp floppy /dev/rdsk/c3t0d0s2 /dev/rdsk/c4t0d0s2
pfexec chmod g+r /dev/rdsk/c3t0d0s2 /dev/rdsk/c4t0d0s2
The last two commands have to be executed after each boot. I do not know
the relevant device configuration files yet.
------------------------------------------------
Have a nice day :)
Thomas