xcdroast and k3b non-root permissions?

Paul Howarth paul at city-fan.org
Tue Mar 29 10:48:25 UTC 2005 

Matthew Rex wrote:
> On Tue, 2005-03-29 at 06:41, Markku Kolkka wrote:
> 
>>Paul Howarth kirjoitti viestissään (lähetysaika maanantai, 28. 
>>maaliskuuta 2005 18:58):
>>
>>>What should be happening now is that
>>>/etc/security/console.perms and the fstab entry for your cd
>>>writer should ensure that the ownership of the device is set
>>>to the currently-logged-in user, and that's not happening
>>
>>The problem seems to be that Matthew is logging in remotely by 
>>ssh, so pam_console doesn't get activated.
> 
> 
> If I log in as non-root user I get:
> 
> lrwxrwxrwx  1 root root     3 Mar 28 21:25 /dev/cdrom -> hdc
> lrwxrwxrwx  1 root root     3 Mar 28 21:25 /dev/cdwriter -> hdc
> brw-rw----  1 root disk 22, 0 Mar 28 21:25 /dev/hdc
> 
> /etc/fstab has:
> /dev/hdc                /media/cdrecorder       auto   
> pamconsole,exec,noauto,fscontext=system_u:object_r:removable_t,managed 0
> 0

When you say you "log in", is this directly on the system itself, or by ssh?

> I'm a bit lost with this pamconsole stuff. Do I need a "pam-tty" sort of
> equivalent in there as well? I can't find these in the "man mount".
> 
> Are the permissions supposed to get set when you log in or only when you
> (or a process running under you login) tries to access the device?
> Hopefully the latter?

The ownership of the device is set to be that of the person logged in 
*on the console* because that is the person that will have physical 
access to the device. There would be no point at all in setting up 
permissions on a device-access basis because you might as well just make 
the permissions 777 and let anyone write to it whenever they wanted, 
which would be a security issue.

> For what it's worth: I used to use xcdroast compiled for non-root use
> with RH7.3 via ssh/X11forwarding all the time...

If you want to do CD-burning from a remote machine, you probably need to 
"unmanage" the device (remove the pamconsole and managed terms from the 
fstab entry) so that pam does not change the ownership of the device, 
and write a custom udev rule/permissions entry to set the device up with 
the permissions you want.

You can read about udev in Fedora at:
http://fedora.redhat.com/docs/udev/

Paul.

More information about the users mailing list