[lug] File permissions & groups

[Riggs, Rob]

Red Hat uses PAM's console.perms(5) to set permissions on the devices
themselves to the console user, rather than using setuid root applications.
It's a much safer way to achieve what you want.

I have the following set on my system:

In /etc/security/console.perms:
<cdrom>=/dev/cdrom* /dev/cdroms/* /dev/cdwriter* /mnt/cdrom*

And:
lrwxrwxrwx    1 root     root            8 Feb  3 20:46 /dev/cdwriter ->
/dev/sg2

On login, PAM sets the owner on /dev/sg2 to the console owner, which is the
first user to log in on the local console, either on a VT or via X.

-Rob

P.S. I've thought about giving a 10-minute talk on console.perms, if
anyone's interested. Probably not this month though...

-----Original Message-----
From: Gary Hodges [mailto:Gary.Hodges at noaa.gov]
Sent: Tuesday, March 12, 2002 8:54 AM
To: lug at lug.boulder.co.us
Subject: [lug] File permissions & groups


I'm fairly certain I could run cdrecord and mkisofs as a regular user a
few weeks ago, so I'm guessing an update has changed some permissions.

~>ls -l /usr/bin/mkisofs 
-rws--x---    1 root     cdwrite    353084 Aug  8  2001
/usr/bin/mkisofs*
~>ls -l /usr/bin/cdrecord
-rws--x---    1 root     cdwrite    177852 Aug  8  2001
/usr/bin/cdrecord*

I've just read a doc on file permissions and if I understand it
correctly, having the SUID bit set should allow a regular user to run
these programs.  I've also tried adding myself, the regular user, to the
cdwrite group, but I still can't run these commands.  What am I missing?

Gary -- RHL 7.2 with all up2date's
_______________________________________________
Web Page:  http://lug.boulder.co.us
Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug