Re: Bug#71237: cdparanoia: cannot use cdparanoia 'out of the box' as a non-root user.
On Tue, 12 Sep 2000 [EMAIL PROTECTED] wrote: Hmmm. No package called `scsidev' exists in Debian (potato|woody). Pointer? Oops. scsidev is a part of the scsitools package. Remco -- qn195-66-31-144: 11:00pm up 8 days, 23:14, 6 users, load average: 2.03, 1.49, 1.69 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bug#71237: cdparanoia: cannot use cdparanoia 'out of the box' as a non-root user.
Hmmm. No package called `scsidev' exists in Debian (potato|woody). Pointer? On Tue, 12 Sep 2000, Remco Blaakmeer wrote: On Mon, 11 Sep 2000 [EMAIL PROTECTED] wrote: The problem I have here is that the 'appropriate device' is not guarenteed to stay constant with respect to the SCSI bus and ID, the way IDE devices are for example. On my system (I believe this is actually the default) scd devices are group audio, perm 0660, and my cdripper account is in the audio group. Currently, I have two hard drives and two cdrom drives in this machine. The hard drives are at IDs 0 and 1, and the cdrom drives are at IDs 5 and 6. ID: generic: 0 sg0 1 sg1 5 sg2 6 sg3 Now I want to connect an external hard drive to my machine, so I have more storage space for my music collection. I set this drive to ID 3. ID: generic: 0 sg0 1 sg1 3 sg2 5 sg3 6 sg4 Notice that now my external hard drive has access by audio group through the generic device, and my second cdrom drive is no longer accessable by the audio group. To circumvent this problem, you could use the scsidev package to create the appropriate nodes in /dev/scsi/ and set permissions on them. These permissions will be preserved on reboots. The major and minor device numbers will be adjusted if necessary at every reboot. /dev/scsi/sgh24-6c00c0i3l0 will always point at LUN 0 of the device with ID 3 on bus 0 of the SYM5c8xx scsi-adapter at memory address 6c000. You do need to run scsidev again if you add scsi devices while Linux is running, though. Remco -- qn195-66-31-144: 7:55pm up 7 days, 20:09, 11 users, load average: 1.02, 1.21, 1.40 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bug#71237: cdparanoia: cannot use cdparanoia 'out of the box' as a non-root user.
On Mon, 11 Sep 2000, Dale E. Martin wrote: Basically, cdparanoia requires use of 'scsi-generic' (/dev/sg*) when reading from SCSI cdrom drives. /dev/sg device nodes are created with root.root ownership and mode 0600. Which is correct - you definitely want tight access on your devices. As relaxing permissions in general on /dev/sg* would create more of a potential security risk for SCSI-based systems, and there is no constant mapping between [/dev/scd*] and [/dev/sg*], cdparanoia should be made suid root and should drop root privelages after determining which /dev/sg* device to use and opening said device. Such checking should also be made after a permission check of the /dev/scd* device. I'm not sure I agree with your solution. cdparanoia runs fine (AFAIK) if you go set the permissions on the appropriate device correctly. The basic solution that I've used on my own systems is to change the ownership of the appropriate sg* and scd* devices to the audio group, set the permissions to 0660, and then added myself (and anyone else needing access on shared machines) to the audio group. The problem I have here is that the 'appropriate device' is not guarenteed to stay constant with respect to the SCSI bus and ID, the way IDE devices are for example. On my system (I believe this is actually the default) scd devices are group audio, perm 0660, and my cdripper account is in the audio group. Currently, I have two hard drives and two cdrom drives in this machine. The hard drives are at IDs 0 and 1, and the cdrom drives are at IDs 5 and 6. ID: generic: 0 sg0 1 sg1 5 sg2 6 sg3 Now I want to connect an external hard drive to my machine, so I have more storage space for my music collection. I set this drive to ID 3. ID: generic: 0 sg0 1 sg1 3 sg2 5 sg3 6 sg4 Notice that now my external hard drive has access by audio group through the generic device, and my second cdrom drive is no longer accessable by the audio group. Basically, cdparanoia and the installer scripts cannot depend on a fixed mapping between the scd device and the sg device. On the other hand, I believe this will be a moot point under devfs. Granted, this isn't so simple for newbie users but it works without running cdparanoia suid root, which would generally be considered a Bad Thing. Perhaps the right answer is a post install that figures out the devices to use (via cdparanoia itself) and then asks who needs to be able to run it. That would be more work then I currently have time for, but I would entertain any solution that was offered. -- System Information Debian Release: 2.2 Kernel Version: Linux heathen 2.2.17-usb-trelos #1 Fri Aug 4 21:11:48 PDT 2000 i586 unknown Versions of the packages cdparanoia depends on: ii libcdparanoia0 3a9.7-2 Shared libraries for cdparanoia (runtime lib) I will be updating the package this week as I've received several bug reports, including one about source dependencies and a couple that I've been putting off for some time. I'll be putting some info in Readme.Debian about IDE/SCSI emulation, and I'll also note the solution that I've suggested here. Comments welcome. I'm not subscribed to debian-devel so please Cc me on any replies. Thanks, Dale -- +-- pgp key available ---+ | Dale E. Martin | Clifton Labs, Inc. | Senior Computer Engineer | | [EMAIL PROTECTED]|http://www.clifton-labs.com | ++ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bug#71237: cdparanoia: cannot use cdparanoia 'out of the box' as a non-root user.
The problem I have here is that the 'appropriate device' is not guarenteed to stay constant with respect to the SCSI bus and ID, the way IDE devices are for example. On my system (I believe this is actually the default) scd devices are group audio, perm 0660, and my cdripper account is in the audio group. Currently, I have two hard drives and two cdrom drives in this machine. The hard drives are at IDs 0 and 1, and the cdrom drives are at IDs 5 and 6. ID: generic: 0 sg0 1 sg1 5 sg2 6 sg3 Now I want to connect an external hard drive to my machine, so I have more storage space for my music collection. I set this drive to ID 3. ID: generic: 0 sg0 1 sg1 3 sg2 5 sg3 6 sg4 Notice that now my external hard drive has access by audio group through the generic device, and my second cdrom drive is no longer accessable by the audio group. Basically, cdparanoia and the installer scripts cannot depend on a fixed mapping between the scd device and the sg device. I think that's even more of an argument for not having automated lookups occuring. I.e. you want to know what you're doing to be accessing raw SCSI devices. That's simply my opinion of course... I can see how you arrived at the solution that you did now though. So far, you're the only person that's sent me email advocating SUID root. Would documenting that as a solution, and describing how to do it in Readme.Debian, along with the other approaches/problems be sufficient in your opinion? On the other hand, I believe this will be a moot point under devfs. I brought this up once on debian devel. A lot of people are very anti-devfs. I still haven't ever played with it and have no opinion of my own on it. Later, Dale -- +-- pgp key available ---+ | Dale E. Martin | Clifton Labs, Inc. | Senior Computer Engineer | | [EMAIL PROTECTED]|http://www.clifton-labs.com | ++ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bug#71237: cdparanoia: cannot use cdparanoia 'out of the box' as a non-root user.
On Tue, 12 Sep 2000, Dale E. Martin wrote: The problem I have here is that the 'appropriate device' is not guarenteed to stay constant with respect to the SCSI bus and ID, the way IDE devices are for example. On my system (I believe this is actually the default) scd devices are group audio, perm 0660, and my cdripper account is in the audio group. Currently, I have two hard drives and two cdrom drives in this machine. The hard drives are at IDs 0 and 1, and the cdrom drives are at IDs 5 and 6. ID: generic: 0 sg0 1 sg1 5 sg2 6 sg3 Now I want to connect an external hard drive to my machine, so I have more storage space for my music collection. I set this drive to ID 3. ID: generic: 0 sg0 1 sg1 3 sg2 5 sg3 6 sg4 Notice that now my external hard drive has access by audio group through the generic device, and my second cdrom drive is no longer accessable by the audio group. Basically, cdparanoia and the installer scripts cannot depend on a fixed mapping between the scd device and the sg device. I think that's even more of an argument for not having automated lookups occuring. I.e. you want to know what you're doing to be accessing raw SCSI devices. That's simply my opinion of course... I can see how you arrived at the solution that you did now though. So far, you're the only person that's sent me email advocating SUID root. Would documenting that as a solution, and describing how to do it in Readme.Debian, along with the other approaches/problems be sufficient in your opinion? On the other hand, I believe this will be a moot point under devfs. I brought this up once on debian devel. A lot of people are very anti-devfs. I still haven't ever played with it and have no opinion of my own on it. I haven't played with or looked at devfs yet either, but what I have heard indicates that device naming (outside the /dev/ compatibility entries) should be closer in style to Solaris device naming, in particular where bus-based devices are named with the bus # and ID #. Anyway, I would suggest that, if cdparanoia is set suid root, it do whatever device consistancy checking it does, open the particular generic device it needs, then drop suid privelages. The administrator should be asked if cdparanoia should be installed suid root, with the default to be NO. debconf could ask something like the following: cdparanoia is by default not installed SUID root. This is normally a good thing, because a bug in the cdparanoia executable or the kernel SCSI system could conceivably lead to cdparanoia accessing a non-cdrom device and potentially causing data corruption. However, if you wish to allow normal users access to extract audio using SCSI cdrom drives, then you should install cdparanoia SUID root. If you do not have any SCSI cdrom drives you should answer NO here. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bug#71237: cdparanoia: cannot use cdparanoia 'out of the box' as a non-root user.
On Tue, Sep 12, 2000 at 07:48:14AM -0400, Dale E. Martin wrote: I can see how you arrived at the solution that you did now though. So far, you're the only person that's sent me email advocating SUID root. Would documenting that as a solution, and describing how to do it in Readme.Debian, along with the other approaches/problems be sufficient in your opinion? In general, it is a bad idea to set the setuid bit on programs that were not designed to be so. Most programs written for use without elevated privileges contain bugs and potential security holes that could lead to problems if they are made setuid. I would not recommend this method as a solution to Debian users. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bug#71237: cdparanoia: cannot use cdparanoia 'out of the box' as a non-root user.
On Mon, 11 Sep 2000 [EMAIL PROTECTED] wrote: The problem I have here is that the 'appropriate device' is not guarenteed to stay constant with respect to the SCSI bus and ID, the way IDE devices are for example. On my system (I believe this is actually the default) scd devices are group audio, perm 0660, and my cdripper account is in the audio group. Currently, I have two hard drives and two cdrom drives in this machine. The hard drives are at IDs 0 and 1, and the cdrom drives are at IDs 5 and 6. ID: generic: 0 sg0 1 sg1 5 sg2 6 sg3 Now I want to connect an external hard drive to my machine, so I have more storage space for my music collection. I set this drive to ID 3. ID: generic: 0 sg0 1 sg1 3 sg2 5 sg3 6 sg4 Notice that now my external hard drive has access by audio group through the generic device, and my second cdrom drive is no longer accessable by the audio group. To circumvent this problem, you could use the scsidev package to create the appropriate nodes in /dev/scsi/ and set permissions on them. These permissions will be preserved on reboots. The major and minor device numbers will be adjusted if necessary at every reboot. /dev/scsi/sgh24-6c00c0i3l0 will always point at LUN 0 of the device with ID 3 on bus 0 of the SYM5c8xx scsi-adapter at memory address 6c000. You do need to run scsidev again if you add scsi devices while Linux is running, though. Remco -- qn195-66-31-144: 7:55pm up 7 days, 20:09, 11 users, load average: 1.02, 1.21, 1.40 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bug#71237: cdparanoia: cannot use cdparanoia 'out of the box' as a non-root user.
Basically, cdparanoia requires use of 'scsi-generic' (/dev/sg*) when reading from SCSI cdrom drives. /dev/sg device nodes are created with root.root ownership and mode 0600. Which is correct - you definitely want tight access on your devices. As relaxing permissions in general on /dev/sg* would create more of a potential security risk for SCSI-based systems, and there is no constant mapping between [/dev/scd*] and [/dev/sg*], cdparanoia should be made suid root and should drop root privelages after determining which /dev/sg* device to use and opening said device. Such checking should also be made after a permission check of the /dev/scd* device. I'm not sure I agree with your solution. cdparanoia runs fine (AFAIK) if you go set the permissions on the appropriate device correctly. The basic solution that I've used on my own systems is to change the ownership of the appropriate sg* and scd* devices to the audio group, set the permissions to 0660, and then added myself (and anyone else needing access on shared machines) to the audio group. Granted, this isn't so simple for newbie users but it works without running cdparanoia suid root, which would generally be considered a Bad Thing. Perhaps the right answer is a post install that figures out the devices to use (via cdparanoia itself) and then asks who needs to be able to run it. That would be more work then I currently have time for, but I would entertain any solution that was offered. -- System Information Debian Release: 2.2 Kernel Version: Linux heathen 2.2.17-usb-trelos #1 Fri Aug 4 21:11:48 PDT 2000 i586 unknown Versions of the packages cdparanoia depends on: ii libcdparanoia0 3a9.7-2 Shared libraries for cdparanoia (runtime lib) I will be updating the package this week as I've received several bug reports, including one about source dependencies and a couple that I've been putting off for some time. I'll be putting some info in Readme.Debian about IDE/SCSI emulation, and I'll also note the solution that I've suggested here. Comments welcome. I'm not subscribed to debian-devel so please Cc me on any replies. Thanks, Dale -- +-- pgp key available ---+ | Dale E. Martin | Clifton Labs, Inc. | Senior Computer Engineer | | [EMAIL PROTECTED]|http://www.clifton-labs.com | ++ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bug#71237: cdparanoia: cannot use cdparanoia 'out of the box' as a non-root user.
Quoting Dale E. Martin [EMAIL PROTECTED]: As relaxing permissions in general on /dev/sg* would create more of a potential security risk for SCSI-based systems, and there is no constant mapping between [/dev/scd*] and [/dev/sg*], cdparanoia should be made suid root and should drop root privelages after determining which /dev/sg* device to use and opening said device. Such checking should also be made after a permission check of the /dev/scd* device. I'm not sure I agree with your solution. Neither do I... In no way should mapping or device modes be available to ordinary users. I actually happened to me once, when I wasn't paying enough attention, that I managed to map sga to sda, which you can imagine isn't good :) If you are root, your problem, your disk, your process. But if I make that mistake (setting the modes wrong) as root and another user try to use cdparanoia (or whatever) and messes the hard disk up, then who's fault is it (really)? And does it really matter? The disk/content is gone... The modes and execution as cdparanoia/cdwrite/whatever SHOULD be done as root, manually, after CAREFULLY read and understood any cdwriting HOWTO. That way no special user (or the Debian maintainer) can be blamed for errors/problems that can arise from automatic generation of any modes... -- kibo explosion security nuclear genetic Ft. Meade Iran Panama Cuba cracking North Korea Ft. Bragg nitrate president NORAD [See http://www.aclu.org/echelonwatch/index.html for more about this] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]