Re: [expert] Ownership of devices

2001-05-06 Thread John Wolford 

One of the alternatives, and a simple one in a case like this, is to use sudo.

j


--- "David E. Fox" <[EMAIL PROTECTED]> wrote:
> > I've just been trying to use KFloppy to format a floppy disk from
> > within the K Desktop Environment.  As I was logged in as an
> > ordinary user (jmorley) and a member of an ordinary group (users)
> 
> I might be viewed as a right-wing conservative, but I'm of the opinion
> that ordinary users should not be able to access raw devices, period. That's
> why the Unix permission scheme exists, among other things. 
> 
> Of course, it's a bit inconvenient to ask root to format the floppies for
> you, and in Linux's case, you happen to be root as well. That's one of
> the things that root is supposed to do, so switch hats and do the 
> operation as root. 
> 
> Still, many suggest that even that is less convenient than just doing
> the thing as a user, so various means to "circumvent" these restrictions
> have arised. Personally speaking, I haven't really bothered with them - I
> still typically mount/unmount/format things as root. 
> 
> > my attempt to access the /dev/fd0h1440 device (owned by root.floppy,
> > permissions brw-rw) failed.
> 
> OK, if you are not a member of the floppy group, or have ownership of the
> device, you can't use it. Seems fine to me.
> 
> > 
> > added my ordinary username (jmorley) to the entry for floppy:
> > 
> >   floppy:x:19:jmorley
> 
> Adding yourself to the floppy group is a workaround. I don't see why
> you can't access the device at that point. You shouldn't have to 'newgrp
> floppy' because 'floppy' already exists. You might have to relogin again.
> 
> 
> What happens with 'fdformat /dev/fd0' once you're a member of the floppy
> group? If you can do that it would prove you have (group) access to the
> floppy device and can format floppies. If you can do that and still can't
> use kfloppy it would be a problem with the latter.
> 
> 
> > The obvious solution would be to change the ownership of /dev/fd0*
> > to jmorley but I'm reluctant to do that until I've considered all
> > the ramifications.
> 
> Don't. That circumvents the whole point of the permissions. Really, I'm
> kind of appalled at all this 'new-fangled' methodology to make Unix 
> resemble DOS :).
> 
> > John Morley ([EMAIL PROTECTED])
> 
> 
> David E. Fox  Thanks for letting me
> [EMAIL PROTECTED]change magnetic patterns
> [EMAIL PROTECTED]   on your hard disk.
> ---
> 


__
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/

Re: [expert] Ownership of devices

2001-05-06 Thread David E. Fox 

> working.  I can now use the KFloppy icon as it was intended and I
> haven't compromised the security of my system.  So as workarounds
> go it's not a bad one.

Yes, it's an ok workaround. Alternatives are making the kfloppy and
related tools setgid floppy or setuid root. The latter shouldn't be
needed, and is a security risk because it makes the app run as
if it were the root user Setgid floppy isn't a very good choice
either, considering that it allows non-members of the group direct
access to the hardware.
.
> The only other way to make KFloppy useful would be to make it pop
> up a dialogue box asking for the root password, like DrakConf.

That seems sensible. It helps too, as people shouldn't be running
their desktops as root, and it's way too inconvenient to logout of
a desktop and into another one just to run some application as the
root user.  Alternatively, you can run a 'xterm su - root' and launch
kfloppy or what have you from there. That's usually the approach I 
take, but makes the icon not of much value.

As an aside, I like having xauth there, but dislike having to xhost +
stuff to get access to an app on the desktop running as root, and to
xhost - thereafter. I haven't noticed the need to do this nearly as
much in Mandrake as in other Linux distributions I've recently used.

> I too resent the DOSification of UNIX which is why I'm pleased
> with my workaround.  The part I was missing was the need to log

Agreed. Stuff like autologin without password features in the later
Mandrakes really miss the point.

> out and back in again for it to take effect.  I've added myself
> though and it doesn't access hardware.  The ownership
> (root.cdwriter) and permissions (-rwxr-s---) puzzle me.  Why is

Mkisofs does access hardware, sort of. I would imagine you need it
as part of cdrecord, to write the iso image to the CD prior to 
burning. Otherwise you're running it against something that looks
like a partition, such as the loopback device. Permissions for accessing
that should mirror the ones for physical hardware since it is accessing
hardware at that level.

The setgid bit is set so that the cdrecord and related tools can access
the cdrw device with full read/write permission. It works similarly to
the floppy device - at least from a permissions standpoint.

> John Morley ([EMAIL PROTECTED])


David E. Fox  Thanks for letting me
[EMAIL PROTECTED]change magnetic patterns
[EMAIL PROTECTED]   on your hard disk.
---

Re: [expert] Ownership of devices

2001-05-05 Thread John Morley 

"David E. Fox" wrote:
> 
> Adding yourself to the floppy group is a workaround. I don't see why
> you can't access the device at that point. You shouldn't have to 'newgrp
> floppy' because 'floppy' already exists. You might have to relogin again.

You're right.  It wasn't just a case of opening up a new terminal.
Once I'd logged out of KDE and logged back in again it all started
working.  I can now use the KFloppy icon as it was intended and I
haven't compromised the security of my system.  So as workarounds
go it's not a bad one.

The only other way to make KFloppy useful would be to make it pop
up a dialogue box asking for the root password, like DrakConf.
Then again, that's really overkill as you really don't need to
have full root permissions in order to format a floppy disk.

I too resent the DOSification of UNIX which is why I'm pleased
with my workaround.  The part I was missing was the need to log
out and back in again for it to take effect.  I've added myself
to the cdwriter group too for the same reason.  I found it rather
perplexing that I couldn't use /usr/bin/mkisofs otherwise even
though and it doesn't access hardware.  The ownership
(root.cdwriter) and permissions (-rwxr-s---) puzzle me.  Why is
the set-GID bit set?

-- 
John Morley ([EMAIL PROTECTED])

Re: [expert] Ownership of devices

2001-05-05 Thread David E. Fox 

> I've just been trying to use KFloppy to format a floppy disk from
> within the K Desktop Environment.  As I was logged in as an
> ordinary user (jmorley) and a member of an ordinary group (users)

I might be viewed as a right-wing conservative, but I'm of the opinion
that ordinary users should not be able to access raw devices, period. That's
why the Unix permission scheme exists, among other things. 

Of course, it's a bit inconvenient to ask root to format the floppies for
you, and in Linux's case, you happen to be root as well. That's one of
the things that root is supposed to do, so switch hats and do the 
operation as root. 

Still, many suggest that even that is less convenient than just doing
the thing as a user, so various means to "circumvent" these restrictions
have arised. Personally speaking, I haven't really bothered with them - I
still typically mount/unmount/format things as root. 

> my attempt to access the /dev/fd0h1440 device (owned by root.floppy,
> permissions brw-rw) failed.

OK, if you are not a member of the floppy group, or have ownership of the
device, you can't use it. Seems fine to me.

> 
> added my ordinary username (jmorley) to the entry for floppy:
> 
>   floppy:x:19:jmorley

Adding yourself to the floppy group is a workaround. I don't see why
you can't access the device at that point. You shouldn't have to 'newgrp
floppy' because 'floppy' already exists. You might have to relogin again.


What happens with 'fdformat /dev/fd0' once you're a member of the floppy
group? If you can do that it would prove you have (group) access to the
floppy device and can format floppies. If you can do that and still can't
use kfloppy it would be a problem with the latter.


> The obvious solution would be to change the ownership of /dev/fd0*
> to jmorley but I'm reluctant to do that until I've considered all
> the ramifications.

Don't. That circumvents the whole point of the permissions. Really, I'm
kind of appalled at all this 'new-fangled' methodology to make Unix 
resemble DOS :).

> John Morley ([EMAIL PROTECTED])


David E. Fox  Thanks for letting me
[EMAIL PROTECTED]change magnetic patterns
[EMAIL PROTECTED]   on your hard disk.
---

[expert] Ownership of devices

2001-05-05 Thread John Morley 

Hello there.

I've just been trying to use KFloppy to format a floppy disk from
within the K Desktop Environment.  As I was logged in as an
ordinary user (jmorley) and a member of an ordinary group (users)
my attempt to access the /dev/fd0h1440 device (owned by root.floppy,
permissions brw-rw) failed.

My initial reaction was to open up a terminal window, su to root and
then type "kfloppy".  I did this and, indeed, it worked.  Then I
started thinking things over and, remembering that the /dev/fd0h1440
device is in the floppy group, I edited /etc/group (as root) and
added my ordinary username (jmorley) to the entry for floppy:

  floppy:x:19:jmorley

I'm now able to type "newgrp floppy" and then "kfloppy" without the
dangers of su'ing to root BUT I still can't use KFloppy when launched
by clicking its icon.

The obvious solution would be to change the ownership of /dev/fd0*
to jmorley but I'm reluctant to do that until I've considered all
the ramifications.

What does the panel think?

-- 
John Morley ([EMAIL PROTECTED])