DaemonForums  

Go Back   DaemonForums > Miscellaneous > Guides

Guides All Guides and HOWTO's.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 10th May 2008
Nirbo Nirbo is offline
Real Name: Nicholas Kirby
Fdisk Soldier
 
Join Date: May 2008
Location: Edmonton, Alberta, Canada
Posts: 68
Thanked 11 Times in 9 Posts
Default k3b as non-privileged user

k3b usage as non-root/non-wheel user:

First of all, the k3b port expects you to be using a SCSI drive, so if you've a SCSI drive, you probably will not need this step, but for all of us IDE people, there's ATAPICAM, for which the following line must be compiled into the kernel

Code:
device          atapicam                # ATAPI/CAM device
You must also have ATAPI for CD drives, and SCSI stuff still in your kernel. if you're using GENERIC currently, everything else is already in the kernel.

atapicam is also loadable as a kernel module, atapicam.ko! To use this method instead of recompiling your kernel, add the following to /boot/loader.conf

Code:
atapicam_load="YES"
Also, you should edit your /etc/fstab file, and add all of your CD drives with their ATAPI/CAM device names... Essentially, the easiest way to do this is copy your /dev/acd0 line, paste it to the end of the file, and change it to cd0.

e.g.
Code:
/dev/acd0               /cdrom          cd9660  ro,noauto       0       0
/dev/cd0                /cdrom          cd9660  ro,noauto       0       0
Now, starting k3b now wouldn't be a help, and you'd get two error messages as it started telling you that both cdrecord and cdrdao are set to run with root privileges, and that you can fix it with K3bSetup, which I've never been able to find, and don't think is used with FreeBSD. However, these two commands will do the trick.

Code:
chmod 4711 /usr/local/bin/cdrecord
chmod 4711 /usr/local/bin/cdrdao
Note: If burning (Video, and I'd assume any DVD without an ISO) DVDs, you must also set /usr/local/bin/growisofs as suid as well

These will set both programs to use the suid of root despite the user who runs them, and thereby give them root priveledges...

At this particular moment, k3b will start wihtout error! But unfortunately, it won't detect any drives either. which means you're SOL, right? Not quite!

This is the part I actually had to figure out without help, so I'm proud of me. From the console output of k3b, it seems that while root can do as it likes, the normal user has no permission to access the devices that ATAPICAM uses. which can be fixed easily enough with...

Code:
chmod 666 /dev/xpt0
chmod 666 /dev/pass0
NOTE: They only require 666, because they do not need root privileges, as do cdrecord and cdrdao.

NOTE2: These permissions will reset after rebooting, so you must add the following to /etc/devfs.conf so the permissions are set properly at boot

NOTE3: If you have more that one CD/DVD drive (i.e acd0, acd1, acd2) that are going through atapicam (i.e cd0, cd1, cd2), you will also have multiple pass devices. make sure permissions are set to 0666 for all of them. There should still only be xpt0 however.

NOTE4: One thing recommended by the k3b port is to add 'devd_enable="YES"' to /etc/rc.conf... it seems like a good idea to me ... It helps give permanence to the changes in /etc/devfs.conf

Code:
perm xpt0 0666
perm pass0 0666
There! Your k3b should be working perfectly as a normal, non-root, non-wheel user!

Last edited by Carpetsmoker; 10th May 2008 at 07:02 AM. Reason: Fix title, bbcode, and spelling
Reply With Quote
  #2   (View Single Post)  
Old 10th May 2008
robbak's Avatar
robbak robbak is offline
Real Name: Robert Backhaus
VPN Cryptographer
 
Join Date: May 2008
Location: North Queensland, Australia
Posts: 366
Thanked 40 Times in 39 Posts
Default

Just a note: if you have a multi-user system with scsi-based disks, then you must not set xpt0 permissions like this. It gives all users access to the scsi bus that can be used to do some nasty things. Read and understand xpt(4).
__________________
The only dumb question is a question not asked.
The only dumb answer is an answer not given.
Reply With Quote
  #3   (View Single Post)  
Old 10th May 2008
Nirbo Nirbo is offline
Real Name: Nicholas Kirby
Fdisk Soldier
 
Join Date: May 2008
Location: Edmonton, Alberta, Canada
Posts: 68
Thanked 11 Times in 9 Posts
Default

Hm, I do suppose that is a bit of a concern...

Any insight how to set it up better to provide similar access to the devices for users while keeping the bus from getting tinkered with?

AFAICT, the only reason for setting the permissions is so the programs can see the drives are there. Perhaps the permissions can be set on the drives themselves and xpt can be left alone?... (I haven't got BSD running at the moment, so I cannot be sure.)
Reply With Quote
  #4   (View Single Post)  
Old 10th May 2008
robbak's Avatar
robbak robbak is offline
Real Name: Robert Backhaus
VPN Cryptographer
 
Join Date: May 2008
Location: North Queensland, Australia
Posts: 366
Thanked 40 Times in 39 Posts
Default

I think (but could easily be wrong) that it only uses it for scanning the bus to locate drives. If K3B can be configured, it may be able to work without further access to xpt. Worth trying, but my BSD desktop is now considerably out of date. I have only got Dial-up at home (!! Stone Age), unless you count my mobile phone, which gives me up to 8Mbps, at $2000/GB!!! (Telstra, boys. Love this country. A few months ago it was $15,000!). I could get it down to $250 if i give them $50 a month up front. But all this is off-topic
__________________
The only dumb question is a question not asked.
The only dumb answer is an answer not given.
Reply With Quote
  #5   (View Single Post)  
Old 10th May 2008
Nirbo Nirbo is offline
Real Name: Nicholas Kirby
Fdisk Soldier
 
Join Date: May 2008
Location: Edmonton, Alberta, Canada
Posts: 68
Thanked 11 Times in 9 Posts
Default

Now I really want to get FreeBSD running so I can try it out!

I can sympathize though, for years all I had for 33.6kbps (I lived in the Canadian Arctic.) Going back now would probably drive me mad.

This may be worth digging up the old PC... (new PC's NIC isn't supported by FreeBSD)
Reply With Quote
  #6   (View Single Post)  
Old 15th May 2008
BSDKaffee's Avatar
BSDKaffee BSDKaffee is offline
Real Name: Jason Hale
Coffee Addict
 
Join Date: May 2008
Location: Wintersville, Ohio
Posts: 212
Thanked 36 Times in 34 Posts
Default

Quote:
Originally Posted by Nirbo View Post
Also, you should edit your /etc/fstab file, and add all of your CD drives with their ATAPI/CAM device names... Essentially, the easiest way to do this is copy your /dev/acd0 line, paste it to the end of the file, and change it to cd0.

e.g.
Code:
/dev/acd0               /cdrom          cd9660  ro,noauto       0       0
/dev/cd0                /cdrom          cd9660  ro,noauto       0       0
NOTE: If you use k3b in KDE or any other desktop with HAL enabled (default on KDE), do not add these fstab entries. Doing so will prevent HAL from mounting your CDs/DVDs.
Quote:
Originally Posted by Nirbo View Post
NOTE2: These permissions will reset after rebooting, so you must add the following to /etc/devfs.conf so the permissions are set properly at boot

NOTE4: One thing recommended by the k3b port is to add 'devd_enable="YES"' to /etc/rc.conf... it seems like a good idea to me ... It helps give permanence to the changes in /etc/devfs.conf

Code:
perm xpt0 0666
perm pass0 0666
Another way to deal with the permissions issue is to use rulesets. This is advantageous if you use removable drives. Rulesets are defined in /etc/devfs.rules and you may have to create this file if it does not already exist. For more information see devfs(8) and devfs.rules(5). Here is an example /etc/devfs.rules that will set read/write permissions for the devices required for k3b to operate as a non-privileged user:
Code:
# MYBOX's rules
#
[mybox_rules=100]
add path 'acd*' mode 666
add path 'cd*' mode 666
add path 'pass*' mode 666
add path xpt0 mode 666
Then edit /etc/rc.conf and add:
Code:
devfs_system_ruleset="mybox_rules"
Reply With Quote
  #7   (View Single Post)  
Old 8th September 2008
running_fist running_fist is offline
Port Guard
 
Join Date: May 2008
Location: NEPennsylvania
Posts: 12
Thanked 1 Time in 1 Post
Default permission fix

I believe when this came up on the old forum the more secure method was to assign anyone who needs will need access to a group (ie. cdwriters) and set the permissions

# MYBOX's rules
#
[mybox_rules=100]
add path 'acd*' mode 660 group cdwriters
add path 'cd*' mode 660 group cdwriters
add path 'pass*' mode 660 group cdwriters
add path xpt0 mode 660 group cdwriters


k3b likes it and it appears to be more restrictive
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
New FreeBSD user. I need help! rowebil FreeBSD Installation and Upgrading 2 9th March 2009 08:01 PM
user permission... lumiwa FreeBSD General 12 30th September 2008 02:28 AM
dd+user=trouble graudeejs FreeBSD Security 4 26th September 2008 03:48 PM


All times are GMT. The time now is 02:01 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick