Re: [expert] Ownership of devices
One of the alternatives, and a simple one in a case like this, is to use sudo. j --- "David E. Fox" <[EMAIL PROTECTED]> wrote: > > I've just been trying to use KFloppy to format a floppy disk from > > within the K Desktop Environment. As I was logged in as an > > ordinary user (jmorley) and a member of an ordinary group (users) > > I might be viewed as a right-wing conservative, but I'm of the opinion > that ordinary users should not be able to access raw devices, period. That's > why the Unix permission scheme exists, among other things. > > Of course, it's a bit inconvenient to ask root to format the floppies for > you, and in Linux's case, you happen to be root as well. That's one of > the things that root is supposed to do, so switch hats and do the > operation as root. > > Still, many suggest that even that is less convenient than just doing > the thing as a user, so various means to "circumvent" these restrictions > have arised. Personally speaking, I haven't really bothered with them - I > still typically mount/unmount/format things as root. > > > my attempt to access the /dev/fd0h1440 device (owned by root.floppy, > > permissions brw-rw) failed. > > OK, if you are not a member of the floppy group, or have ownership of the > device, you can't use it. Seems fine to me. > > > > > added my ordinary username (jmorley) to the entry for floppy: > > > > floppy:x:19:jmorley > > Adding yourself to the floppy group is a workaround. I don't see why > you can't access the device at that point. You shouldn't have to 'newgrp > floppy' because 'floppy' already exists. You might have to relogin again. > > > What happens with 'fdformat /dev/fd0' once you're a member of the floppy > group? If you can do that it would prove you have (group) access to the > floppy device and can format floppies. If you can do that and still can't > use kfloppy it would be a problem with the latter. > > > > The obvious solution would be to change the ownership of /dev/fd0* > > to jmorley but I'm reluctant to do that until I've considered all > > the ramifications. > > Don't. That circumvents the whole point of the permissions. Really, I'm > kind of appalled at all this 'new-fangled' methodology to make Unix > resemble DOS :). > > > John Morley ([EMAIL PROTECTED]) > > > David E. Fox Thanks for letting me > [EMAIL PROTECTED]change magnetic patterns > [EMAIL PROTECTED] on your hard disk. > --- > __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/
Re: [expert] Ownership of devices
> working. I can now use the KFloppy icon as it was intended and I > haven't compromised the security of my system. So as workarounds > go it's not a bad one. Yes, it's an ok workaround. Alternatives are making the kfloppy and related tools setgid floppy or setuid root. The latter shouldn't be needed, and is a security risk because it makes the app run as if it were the root user Setgid floppy isn't a very good choice either, considering that it allows non-members of the group direct access to the hardware. . > The only other way to make KFloppy useful would be to make it pop > up a dialogue box asking for the root password, like DrakConf. That seems sensible. It helps too, as people shouldn't be running their desktops as root, and it's way too inconvenient to logout of a desktop and into another one just to run some application as the root user. Alternatively, you can run a 'xterm su - root' and launch kfloppy or what have you from there. That's usually the approach I take, but makes the icon not of much value. As an aside, I like having xauth there, but dislike having to xhost + stuff to get access to an app on the desktop running as root, and to xhost - thereafter. I haven't noticed the need to do this nearly as much in Mandrake as in other Linux distributions I've recently used. > I too resent the DOSification of UNIX which is why I'm pleased > with my workaround. The part I was missing was the need to log Agreed. Stuff like autologin without password features in the later Mandrakes really miss the point. > out and back in again for it to take effect. I've added myself > though and it doesn't access hardware. The ownership > (root.cdwriter) and permissions (-rwxr-s---) puzzle me. Why is Mkisofs does access hardware, sort of. I would imagine you need it as part of cdrecord, to write the iso image to the CD prior to burning. Otherwise you're running it against something that looks like a partition, such as the loopback device. Permissions for accessing that should mirror the ones for physical hardware since it is accessing hardware at that level. The setgid bit is set so that the cdrecord and related tools can access the cdrw device with full read/write permission. It works similarly to the floppy device - at least from a permissions standpoint. > John Morley ([EMAIL PROTECTED]) David E. Fox Thanks for letting me [EMAIL PROTECTED]change magnetic patterns [EMAIL PROTECTED] on your hard disk. ---
Re: [expert] Ownership of devices
"David E. Fox" wrote: > > Adding yourself to the floppy group is a workaround. I don't see why > you can't access the device at that point. You shouldn't have to 'newgrp > floppy' because 'floppy' already exists. You might have to relogin again. You're right. It wasn't just a case of opening up a new terminal. Once I'd logged out of KDE and logged back in again it all started working. I can now use the KFloppy icon as it was intended and I haven't compromised the security of my system. So as workarounds go it's not a bad one. The only other way to make KFloppy useful would be to make it pop up a dialogue box asking for the root password, like DrakConf. Then again, that's really overkill as you really don't need to have full root permissions in order to format a floppy disk. I too resent the DOSification of UNIX which is why I'm pleased with my workaround. The part I was missing was the need to log out and back in again for it to take effect. I've added myself to the cdwriter group too for the same reason. I found it rather perplexing that I couldn't use /usr/bin/mkisofs otherwise even though and it doesn't access hardware. The ownership (root.cdwriter) and permissions (-rwxr-s---) puzzle me. Why is the set-GID bit set? -- John Morley ([EMAIL PROTECTED])
Re: [expert] Ownership of devices
> I've just been trying to use KFloppy to format a floppy disk from > within the K Desktop Environment. As I was logged in as an > ordinary user (jmorley) and a member of an ordinary group (users) I might be viewed as a right-wing conservative, but I'm of the opinion that ordinary users should not be able to access raw devices, period. That's why the Unix permission scheme exists, among other things. Of course, it's a bit inconvenient to ask root to format the floppies for you, and in Linux's case, you happen to be root as well. That's one of the things that root is supposed to do, so switch hats and do the operation as root. Still, many suggest that even that is less convenient than just doing the thing as a user, so various means to "circumvent" these restrictions have arised. Personally speaking, I haven't really bothered with them - I still typically mount/unmount/format things as root. > my attempt to access the /dev/fd0h1440 device (owned by root.floppy, > permissions brw-rw) failed. OK, if you are not a member of the floppy group, or have ownership of the device, you can't use it. Seems fine to me. > > added my ordinary username (jmorley) to the entry for floppy: > > floppy:x:19:jmorley Adding yourself to the floppy group is a workaround. I don't see why you can't access the device at that point. You shouldn't have to 'newgrp floppy' because 'floppy' already exists. You might have to relogin again. What happens with 'fdformat /dev/fd0' once you're a member of the floppy group? If you can do that it would prove you have (group) access to the floppy device and can format floppies. If you can do that and still can't use kfloppy it would be a problem with the latter. > The obvious solution would be to change the ownership of /dev/fd0* > to jmorley but I'm reluctant to do that until I've considered all > the ramifications. Don't. That circumvents the whole point of the permissions. Really, I'm kind of appalled at all this 'new-fangled' methodology to make Unix resemble DOS :). > John Morley ([EMAIL PROTECTED]) David E. Fox Thanks for letting me [EMAIL PROTECTED]change magnetic patterns [EMAIL PROTECTED] on your hard disk. ---
[expert] Ownership of devices
Hello there. I've just been trying to use KFloppy to format a floppy disk from within the K Desktop Environment. As I was logged in as an ordinary user (jmorley) and a member of an ordinary group (users) my attempt to access the /dev/fd0h1440 device (owned by root.floppy, permissions brw-rw) failed. My initial reaction was to open up a terminal window, su to root and then type "kfloppy". I did this and, indeed, it worked. Then I started thinking things over and, remembering that the /dev/fd0h1440 device is in the floppy group, I edited /etc/group (as root) and added my ordinary username (jmorley) to the entry for floppy: floppy:x:19:jmorley I'm now able to type "newgrp floppy" and then "kfloppy" without the dangers of su'ing to root BUT I still can't use KFloppy when launched by clicking its icon. The obvious solution would be to change the ownership of /dev/fd0* to jmorley but I'm reluctant to do that until I've considered all the ramifications. What does the panel think? -- John Morley ([EMAIL PROTECTED])