Jonatan Liljedahl wrote: > Lucas C. Villa Real wrote: >> On 3/8/07, Jonas Karlsson <[EMAIL PROTECTED]> wrote: >>> I don't have the need for this type of fine grained security, but >>> there might be people who do. One question that does come to mind is: >>> is there a reason others have to have write access? Why not use 0664? >>> I think cdrecord group is a good solution if we should keep this security >>> level. >> Why was I thinking about write permission there? Never mind, 0664 >> works pretty fine for the sake of reproducing audio cds. So, let's use >> this permission and set cd/dvd group's owner as cdrecord. CDRDAO >> recipe still needs to be fixed in order to use that group, though. Any >> takers? > > Is it better to setgid cdrdao to 'cdrecord' group, OR to put users in > this group? (installer could default to that, or one would need to add > them manually...) > The bad thing with setgid'ing cdrdao and other CDR tools would be that > anyone would have the access to mess with the cd burner...
I thought some more about this and this is my final suggestion: * Create a 'console' group * Put new users in this group by default * Let all device nodes of physical media stuff (cdrw, audio, camera, lp?, etc...) be owned by this group and be group writable (0664). * Keep cdrdao, cdrecord, growisofs and all with plain permissions, owned by root.root, no setuid or setgid bits. The problem with setgid'ing cd burning apps is: * you would have to keep track of which software needs this and maintain this in their recipes and packages. * some software would do other stuff as 'cdrecord' group, i.e. outputting files (ripping a CD with cdrdao) which would then be owned by 'cdrecord' group, kind of strange... Also, using a single 'console' group is consistent and simple, merging access to common hardware to a single group, instead of having 'cdrecord', 'audio', 'printing', 'camera', etc... An admin that wish to add networked users without such privileges would probably already know how to remove them from the console group by editing /etc/group. -- /Jonatan - http://kymatica.com _______________________________________________ gobolinux-devel mailing list gobolinux-devel@lists.gobolinux.org http://lists.gobolinux.org/mailman/listinfo/gobolinux-devel
