Hi, Seth Goldberg pointed me to a solution for the problem of undesired superuser powers on Solaris. (One needs one of the superuser privileges to run SCSI commands.)
It is not perfect yet, because: - Solaris command pfexec is still needed. It only loses its full superuser power when it starts /usr/local/bin/xorriso . - Each program needs its own entries in the system configuration files. - The effects of chmod do not persist over reboot. But device files need r-permission for the user or one of his groups. Does anybody know where the permanent permissions for device files are set in Solaris ? (In FreeBSD it is in /etc/devfs.rules) As an example, what an application would have to do, this is what i currently describe in xorriso's README file: ------------------------------------------------ On Solaris: Run xorriso by pfexec xorriso ...arguments... The following reciepe will make pfexec keep original UID and EUID and prevent most superuser powers. Be aware that you still can manipulate all device files if you have the file permissions for that. Full root privileges for xorriso can then be aquired only by command su. Edit /etc/security/exec_attr and add this line to the other "Media Backup" lines: Media Backup:solaris:cmd:::/usr/local/bin/xorriso:privs=basic,sys_devices Edit /etc/user_attr and add profile "Media Backup" to the user's line: thomas::::profiles=Media Backup,Primary Administrator;roles=root See also man privileges, man exec_attr, man user_attr. Add the user to group "floppy" in /etc/group. Eventually create this group. Changes to /etc/group affect only new login sessions, as it seems. Then allow the group r-access to the drives pfexec chgrp floppy /dev/rdsk/c3t0d0s2 /dev/rdsk/c4t0d0s2 pfexec chmod g+r /dev/rdsk/c3t0d0s2 /dev/rdsk/c4t0d0s2 The last two commands have to be executed after each boot. I do not know the relevant device configuration files yet. ------------------------------------------------ Have a nice day :) Thomas
