From owner-freebsd-questions@FreeBSD.ORG Mon Aug 16 04:12:08 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2845A16A4CE for ; Mon, 16 Aug 2004 04:12:08 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.184]) by mx1.FreeBSD.org (Postfix) with ESMTP id ACC3F43D1D for ; Mon, 16 Aug 2004 04:12:07 +0000 (GMT) (envelope-from oliverfuchs@onlinehome.de) Received: from [212.227.126.206] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1BwYqs-0003ZE-00 for freebsd-questions@freebsd.org; Mon, 16 Aug 2004 06:12:06 +0200 Received: from [217.246.205.9] (helo=oliverfuchs.ath.cx) (TLSv1:EDH-RSA-DES-CBC3-SHA:168) (Exim 3.35 #1) id 1BwYqr-0003Kc-00 for freebsd-questions@freebsd.org; Mon, 16 Aug 2004 06:12:05 +0200 Received: from oliverfuchs.ath.cx (localhost [127.0.0.1]) i7G4Bb73004394verify=FAIL) for ; Mon, 16 Aug 2004 06:11:37 +0200 Received: (from oliverfuchs1@localhost) by oliverfuchs.ath.cx (8.12.3/8.12.3/Debian-6.6) id i7G4BSbA004392 for freebsd-questions@freebsd.org; Mon, 16 Aug 2004 06:11:28 +0200 Date: Mon, 16 Aug 2004 06:11:28 +0200 From: Oliver Fuchs To: freebsd-questions@freebsd.org Message-ID: <20040816041128.GA4289@oliverfuchs.ath.cx> Mail-Followup-To: freebsd-questions@freebsd.org References: <5c33d22d.d22d5c33@prodigy.net.mx> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5c33d22d.d22d5c33@prodigy.net.mx> User-Agent: Mutt/1.4.2i X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:c2b2791553508cc938db2bcf18721a3c Subject: Re: cd and dvd burning program K3b and permissions for non-root users. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Aug 2004 04:12:08 -0000 On Sat, 14 Aug 2004, edwinculp wrote: > I've installed K3b and it works great for the root user but I can't get it to work for any non-privileged user even though I have put the user in the wheel group and have set sysctl vfs.usermount=1, cd0 has permissions set to 666, the same in devfs.conf (That solves the problem for xmms but not for k3b. I have tried to suid and kde won't let it start. I'm out of ideas. After this much time, I'm sure that I'm making a mountain out of a mole hill and I'm missing something very simple. > > Any help would be appreciated. I can't see my users using burncd See /usr/ports/sysutils/k3b/pkg-message: [...] 3. k3b has to be started from a root console, which is not recommended. Alternatively do the following: 3a. set the suid flag on cdrecord and cdrdao. The 'Notes' the chapter of 'man cdrecord' discusses this. 3b. - install sudo (security/sudo) and add the following line or similar to sudoers (usually in /usr/local/etc/sudoers): ALL ALL = NOPASSWD: /sbin/camcontrol devlist - or execute 'camcontrol devlist' For every user who should be able to use k3b. Resolve all errors e.g by giving him/her access rights to /dev/xpt0. 'camcontrol devlist' must run without error for all these users! Note that giving access rights to /dev/xpt* might be a security leak! - or give camcontrol the suid flag, which is a security leak as well. 3c. - For every user who should be able to use k3b and for every CD or DVD device add a directory in the users home directory. These directories must be owned by the corresponding user. For each such directory add a line in /ect/fstab (see remark 2), like: /dev/cd0c /usr/home/XXX/cdrom cd9660 ro,noauto,nodev,nosuid 0 0 Furthermore allow user mounts as described in topic 9.22 of the FAQ: http://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/disks.html#USER-FLOPPYMOUNT - or just give mount and umount the sudo flag, which is a security leak. 3d. - Every user who should be able to use k3b must have read and write access to all pass through devices connected with CD and DVD drives. Run 'camcontrol devlist' to identify those devices (seek string 'passX' at the end of each line and modify the rights of /dev/passX). Note, that this is a security leak as well but that there is no alternative! [...] Oliver -- ... don't touch the bang bang fruit