Re: dvd-rw as user?
On Thu, 2 Apr 2009 05:20:21 -0400 Nick Guenther kou...@gmail.com wrote: It seems a lot simpler to just chmod g+w on any devices you find you need and make sure you're in the operator group (though don't chmod g+w /dev/*, I did that once and things broke very badly I seem to recall, though I don't remember details since I was more like shitshitfixfix). What's the risk in doing it this way? The only thing I can see is that if someone breaks into your account they can burn CDs remotely If you're using the local tty's (/dev/ttyC?) to grant write access to the CDROM, you have a lot more to worry about because said attacker who breaks into your account has physical access to the machine. (or overwrite any unmounted partitions) I see no reason to change hard disk permissions at all. The default permissions are correct just the way they are, and they prevent this kind of nonsense from unprivileged users. $ whoami jcr $ pwd /home/jcr $ mkdir jcr-mnt $ mount /dev/wd1a jcr-mnt mount_ffs: /dev/wd1a on /home/jcr/jcr-mnt: Operation not permitted $ My reason is that kern.usermount=1 is not much use unless your user account can write the harddrive devices. chmod g+w /dev/rsd* is a lot less hassle than fbtab (not neccessarily just laziness! Reduced complexity = easier to maintain = less security problems). mount(8) (where I learned about kern.usermount) doesn't mention fbtab, so I just did what seemed, in lack of any other guidance, to be the most elegant thing. Anyway, I only put my user account in operator, and it's not like I run any network facing daemons as that ((that's secure-enough, right?)). Can you tell me what kern.usermount does? The above might seem like a rhetorical (and facetious) question, but for the sake of example, let's assume the sad truth is I really do not know. As you've probably guessed by now, I have a *very* *reserved* approach to systems and system management, so if I do not really understand something, I refuse to mess with it on any system that I'm counting on to do a job (experimental machines are a completely different story). Turing knobs and flipping switches when you don't know what they do is a well proven way to destroy things. So if I want to understand what the kern.usermount sysctl actually does, I'd start, as always, with the man pages... --Congratulations! I just stepped into a problem that exists on all operating systems, including OpenBSD, namely the issue of lower level kernel features are poorly documented in manuals, if documented at all. The man page for sysctl(8) only gives you: $ man syctl kern.usermount integer yes Now that was a lot of help. It's an integer, but What The F@(%!! does it actually do? My next step would be to follow the sage advice given to me by sthen@ $ sudo pkg_add wtf $ wtf kern.usermount kern.usermount: $ Well that sucks. The next thing I could do is go search the mail list archives and hope the results aren't too filled with incorrect and uninformed answers from the likes of me. Or worse, I could search the web and hope it isn't filled with incorrect and uninformed answers from the likes of me. If that failed, I could ask on the mailing lists. Since I already know the lack of documentation for sysctl's is a known, and serious problem, I skipped the searching and looked at the source. $ cd /usr/src/sys $ find . -type f -iname \*.c -print0 | xargs -0 grep usermount ./kern/kern_sysctl.c: extern int usermount, nosuidcoredump; ./kern/kern_sysctl.c: return (sysctl_int(oldp, oldlenp, newp, newlen, usermount)); ./kern/vfs_syscalls.c:int usermount = 0; /* sysctl: by default, users may not mount */ ./kern/vfs_syscalls.c: if (usermount == 0 (error = suser(p, 0))) $ gvim /usr/src/sys/kern/kern_sysctl.c /usr/src/sys/kern/vfs_syscalls.c And finally, and answer is found in vfs_syscalls.c extern int suid_clear; /* sysctl: by default, users may not mount */ int usermount = 0; Of course, if you can read code, checking to make sure the comment description is actually accurate is always a good move but at least you now have an idea of WTF kern.usermount actually does, so it's time for a cup of coffee and some quiet time to ponder the implied question... Why The F@(%! are users not allowed to mount by default? The answer goes back to the *very* *reserved* approach to system management I mentioned earlier... --You should have a good *reason* to do anything, and until you can find a good reason to do something, the best answer is no. Now the question *seems* to become whether or not to use kern.usermount? But actually, the real question is what are you trying to do? I'll assume you drank the kool-aid of taking a *reserved* approach and as a fresh convert, you are now a true believer. If what you want to do is allow a user to mount a CDROM
Re: dvd-rw as user?
On Wed, 1 Apr 2009 21:24:16 -0400 Nick Guenther kou...@gmail.com wrote: On Wed, Apr 1, 2009 at 10:48 AM, J.C. Roberts list-...@designtools.org wrote: On Wed, 1 Apr 2009 04:46:10 + Jacob Meuser jake...@sdf.lonestar.org wrote: On Tue, Mar 31, 2009 at 07:13:33PM -0700, OpenBSD wrote: Hello Could somebody please tell me how to use a dvd-rw as user? I'am trying to install Slackware using qemu, and the dvd does not work properly, it works well as root. I've tried adding the user to operator group, users group, and declaring it at fstab without optimum results. by default root can read and write /dev/rcd0c. operator group can only read. you need to be able to write to /dev/rcd0c to put a filesystem on a cd/dvd. you can change the permissions on /dev/rcd0c or use sudo. Using sudo is a great way to handle this situation, but this depends on how much you trust the user, and whether or not you can properly configure /etc/sudoers with visudo. NOTE: Jake only said change the permissions but he did not say to change them permanently on disk. Of course, changing permissions permanently on disk is an option, but in many situations it is not the best option. If as root you fumble-finger the chown/chmod command on your devices, stuff a user into the wrong group, or don't fully understand all the esoteric issues involved in device permissions, you could easily be in a world of hurt. If you really want to go the route of changing permissions on a workstation, the best way to do it is using the existing features available /etc/fbtab to change permissions on devices automatically and temporarily at user login and logout. See man fbtab for details. This exact situation of an unprivileged local user needing access to devices is the reason why fbtab exists. Reading fbtab(5), it seems that it changes the device permissions whenever any matching user logs in. So what happens if two users log in (say, one on the first virtual term, one on the second)? Does the second get control of all the devices and the first is just out of luck? It depends on how you configure things. It's just a chmod, so you could set the permissions however you want (owner/group/everyone). At times you would *want* the other guy to be out of luck. The tty(4) used to login, is the trigger for fbtab to the change the permissions. If you look at your /etc/fbtab file, you'll find you're already using it. If you log into the first virtual terminal (i.e. the default), you're on /dev/ttyC0. If you log into the second virtual terminal, you're on /dev/ttyC1, and so on. Though they are called Virtual Terminals and you've got a number of them, they are, in essence, device files associated with hardware terminal ports. Yes, the names, hardware versus virtual, do seem a bit contradictory until you read `man 4 tty` and think about it. The Virtual Terminals (normally) all use the same single of user interface equipment (keyboard, mouse, ...), but the equipment is only tied to one virtual terminal at a time. Yep, by switching virtual terminals, you're basically reassigning control of the equipment from one hardware terminal port to another. You might be doing something highly improbable, namely you are successfully running a Hydra System (i.e. multiple keyboards, mice, monitors, ... all connected to one system) -- If you've got that working, please tell me how. (; -- In this case you could have two different people logged in *locally* via UI equipment. Sadly, I do not recall how tty(4)'s and/or virtual terminals are assigned on a hydra system. I'm fairly certain it still involves the typicall TTY dial-in port waiting for a connection/login (via getty), but I do not recall (and can't find) the details on how the hardware gets assigned. In contrast, if you log in remotely via ssh, you use a pseudo terminal (pty(4)), so the local keyboard, mouse and whatever are not assigned. Again it might seem contradictory, but if you're running the X Window system, and you start an xterm window, the xterm is also assigned a pseudo terminal --the reason being is the keyboard, mouse and whatnot are *already* tied to the Graphics Virtual Terminal (/dev/X0 typically assigned to CTRL-ALT-F5) and the X Server is responsible for passing keystrokes to the xterm window. Yep, when you start X Windows, you actually switch virtual terminals, so the keyboard, mouse, monitor and whatever get reassigned to it. If you look at the default /etc/fbtab, you'll see it handles the reassignment of the your mouse device (/dev/wsmous /dev/wsmouse0). I do not personally know why only the mouse is reassigned to the X/Graphics virtual terminal via fbtab and your keyboard and monitor are not, but there is probably a good reason for it... ---I like to believe said good reason is sitting quietly, waiting, in a very large pile of good reasons that I do not know and need to discover. (; You've now got the basics
Re: dvd-rw as user?
On Thu, Apr 2, 2009 at 3:06 AM, J.C. Roberts list-...@designtools.org wrote: On Wed, 1 Apr 2009 21:24:16 -0400 Nick Guenther kou...@gmail.com wrote: On Wed, Apr 1, 2009 at 10:48 AM, J.C. Roberts list-...@designtools.org wrote: On Wed, 1 Apr 2009 04:46:10 + Jacob Meuser jake...@sdf.lonestar.org wrote: On Tue, Mar 31, 2009 at 07:13:33PM -0700, OpenBSD wrote: Hello Could somebody please tell me how to use a dvd-rw as user? I'am trying to install Slackware using qemu, and the dvd does not work properly, it works well as root. I've tried adding the user to operator group, users group, and declaring it at fstab without optimum results. by default root can read and write /dev/rcd0c. operator group can only read. you need to be able to write to /dev/rcd0c to put a filesystem on a cd/dvd. you can change the permissions on /dev/rcd0c or use sudo. Using sudo is a great way to handle this situation, but this depends on how much you trust the user, and whether or not you can properly configure /etc/sudoers with visudo. NOTE: Jake only said change the permissions but he did not say to change them permanently on disk. Of course, changing permissions permanently on disk is an option, but in many situations it is not the best option. If as root you fumble-finger the chown/chmod command on your devices, stuff a user into the wrong group, or don't fully understand all the esoteric issues involved in device permissions, you could easily be in a world of hurt. If you really want to go the route of changing permissions on a workstation, the best way to do it is using the existing features available /etc/fbtab to change permissions on devices automatically and temporarily at user login and logout. See man fbtab for details. This exact situation of an unprivileged local user needing access to devices is the reason why fbtab exists. Reading fbtab(5), it seems that it changes the device permissions whenever any matching user logs in. So what happens if two users log in (say, one on the first virtual term, one on the second)? Does the second get control of all the devices and the first is just out of luck? It depends on how you configure things. It's just a chmod, so you could set the permissions however you want (owner/group/everyone). At times you would *want* the other guy to be out of luck. The tty(4) used to login, is the trigger for fbtab to the change the permissions. If you look at your /etc/fbtab file, you'll find you're already using it. If you log into the first virtual terminal (i.e. the default), you're on /dev/ttyC0. If you log into the second virtual terminal, you're on /dev/ttyC1, and so on. Though they are called Virtual Terminals and you've got a number of them, they are, in essence, device files associated with hardware terminal ports. Yes, the names, hardware versus virtual, do seem a bit contradictory until you read `man 4 tty` and think about it. When I get back to my BSD box I'll have to remember to see who owns what if I login as one user on ttyC0 and a different one on ttyC1. The Virtual Terminals (normally) all use the same single of user interface equipment (keyboard, mouse, ...), but the equipment is only tied to one virtual terminal at a time. Yep, by switching virtual terminals, you're basically reassigning control of the equipment from one hardware terminal port to another. You might be doing something highly improbable, namely you are successfully running a Hydra System (i.e. multiple keyboards, mice, monitors, ... all connected to one system) -- If you've got that working, please tell me how. (; -- In this case you could have two different people logged in *locally* via UI equipment. Sadly, I do not recall how tty(4)'s and/or virtual terminals are assigned on a hydra system. I'm fairly certain it still involves the typicall TTY dial-in port waiting for a connection/login (via getty), but I do not recall (and can't find) the details on how the hardware gets assigned. In contrast, if you log in remotely via ssh, you use a pseudo terminal (pty(4)), so the local keyboard, mouse and whatever are not assigned. Again it might seem contradictory, but if you're running the X Window system, and you start an xterm window, the xterm is also assigned a pseudo terminal --the reason being is the keyboard, mouse and whatnot are *already* tied to the Graphics Virtual Terminal (/dev/X0 typically assigned to CTRL-ALT-F5) and the X Server is responsible for passing keystrokes to the xterm window. Yep, when you start X Windows, you actually switch virtual terminals, so the keyboard, mouse, monitor and whatever get reassigned to it. If you look at the default /etc/fbtab, you'll see it handles the reassignment of the your mouse device (/dev/wsmous /dev/wsmouse0). I do not personally know why only the mouse is reassigned to the X/Graphics virtual terminal via fbtab
Re: dvd-rw as user?
El miC), 01-04-2009 a las 06:18 -0500, Josh Grosse escribiC3: On Tue, 31 Mar 2009 21:52:04 -0700, OpenBSD wrote i do not have any problem mounting the dvd, as root or at user desktop; the problem is when i do $ qemu -hda slackware.img -cdrom /dev/cd0a -boot d -m 128, at this time the dvd has been mounted by root, and it fails accessing the dvd. PS: I can read files at the mounted dvd, when qemu fails. You cannot use the block device node of a mounted device. Either use the raw device, or, unmount it before using qemu. Yes, it was the problem, as member of operator group, i had to umount /dev/cd0a, and then qemu worked correctly. During the installation, the laptop stop, because of high temperature, it happened 3 single times. I could not determine which is the cause. Logs just show high temperature. Compaq V3019US amd64x2 Turion. Thanks to all of you who help me.
Re: dvd-rw as user?
On Tue, 31 Mar 2009 21:52:04 -0700, OpenBSD wrote i do not have any problem mounting the dvd, as root or at user desktop; the problem is when i do $ qemu -hda slackware.img -cdrom /dev/cd0a -boot d -m 128, at this time the dvd has been mounted by root, and it fails accessing the dvd. PS: I can read files at the mounted dvd, when qemu fails. You cannot use the block device node of a mounted device. Either use the raw device, or, unmount it before using qemu.
Re: dvd-rw as user?
On Wed, 1 Apr 2009 04:46:10 + Jacob Meuser jake...@sdf.lonestar.org wrote: On Tue, Mar 31, 2009 at 07:13:33PM -0700, OpenBSD wrote: Hello Could somebody please tell me how to use a dvd-rw as user? I'am trying to install Slackware using qemu, and the dvd does not work properly, it works well as root. I've tried adding the user to operator group, users group, and declaring it at fstab without optimum results. by default root can read and write /dev/rcd0c. operator group can only read. you need to be able to write to /dev/rcd0c to put a filesystem on a cd/dvd. you can change the permissions on /dev/rcd0c or use sudo. Using sudo is a great way to handle this situation, but this depends on how much you trust the user, and whether or not you can properly configure /etc/sudoers with visudo. NOTE: Jake only said change the permissions but he did not say to change them permanently on disk. Of course, changing permissions permanently on disk is an option, but in many situations it is not the best option. If as root you fumble-finger the chown/chmod command on your devices, stuff a user into the wrong group, or don't fully understand all the esoteric issues involved in device permissions, you could easily be in a world of hurt. If you really want to go the route of changing permissions on a workstation, the best way to do it is using the existing features available /etc/fbtab to change permissions on devices automatically and temporarily at user login and logout. See man fbtab for details. This exact situation of an unprivileged local user needing access to devices is the reason why fbtab exists. -- J.C. Roberts
Re: dvd-rw as user?
On Wed, Apr 1, 2009 at 10:48 AM, J.C. Roberts list-...@designtools.org wrote: On Wed, 1 Apr 2009 04:46:10 + Jacob Meuser jake...@sdf.lonestar.org wrote: On Tue, Mar 31, 2009 at 07:13:33PM -0700, OpenBSD wrote: Hello Could somebody please tell me how to use a dvd-rw as user? I'am trying to install Slackware using qemu, and the dvd does not work properly, it works well as root. I've tried adding the user to operator group, users group, and declaring it at fstab without optimum results. by default root can read and write /dev/rcd0c. operator group can only read. you need to be able to write to /dev/rcd0c to put a filesystem on a cd/dvd. you can change the permissions on /dev/rcd0c or use sudo. Using sudo is a great way to handle this situation, but this depends on how much you trust the user, and whether or not you can properly configure /etc/sudoers with visudo. NOTE: Jake only said change the permissions but he did not say to change them permanently on disk. Of course, changing permissions permanently on disk is an option, but in many situations it is not the best option. If as root you fumble-finger the chown/chmod command on your devices, stuff a user into the wrong group, or don't fully understand all the esoteric issues involved in device permissions, you could easily be in a world of hurt. If you really want to go the route of changing permissions on a workstation, the best way to do it is using the existing features available /etc/fbtab to change permissions on devices automatically and temporarily at user login and logout. See man fbtab for details. This exact situation of an unprivileged local user needing access to devices is the reason why fbtab exists. Reading fbtab(5), it seems that it changes the device permissions whenever any matching user logs in. So what happens if two users log in (say, one on the first virtual term, one on the second)? Does the second get control of all the devices and the first is just out of luck? It seems a lot simpler to just chmod g+w on any devices you find you need and make sure you're in the operator group (though don't chmod g+w /dev/*, I did that once and things broke very badly I seem to recall, though I don't remember details since I was more like shitshitfixfix). What's the risk in doing it this way? The only thing I can see is that if someone breaks into your account they can burn CDs remotely (or overwrite any unmounted partitions) while you're not logged in which is obviously so much more dangerous than someone breaking into your account while you are logged in. -Nick
dvd-rw as user?
Hello Could somebody please tell me how to use a dvd-rw as user? I'am trying to install Slackware using qemu, and the dvd does not work properly, it works well as root. I've tried adding the user to operator group, users group, and declaring it at fstab without optimum results. BTW, when i try to open the file manager as root, it say the conversation with su have fail; how can i correct this? OS: amd64, desktop: kde, OpenBSD version: 4.4 -- OpenBSD openbbs...@gmail.com
Re: dvd-rw as user?
Quoting OpenBSD openbbs...@gmail.com: Hello Could somebody please tell me how to use a dvd-rw as user? I'am trying to install Slackware using qemu, and the dvd does not work properly, it works well as root. I've tried adding the user to operator group, users group, and declaring it at fstab without optimum results. BTW, when i try to open the file manager as root, it say the conversation with su have fail; how can i correct this? OS: amd64, desktop: kde, OpenBSD version: 4.4 -- OpenBSD openbbs...@gmail.com Did you search the archives? http://marc.info/?l=openbsd-miscw=2r=1s=conversationq=b
Re: dvd-rw as user?
On Tue, Mar 31, 2009 at 07:13:33PM -0700, OpenBSD wrote: Hello Could somebody please tell me how to use a dvd-rw as user? I'am trying to install Slackware using qemu, and the dvd does not work properly, it works well as root. I've tried adding the user to operator group, users group, and declaring it at fstab without optimum results. by default root can read and write /dev/rcd0c. operator group can only read. you need to be able to write to /dev/rcd0c to put a filesystem on a cd/dvd. you can change the permissions on /dev/rcd0c or use sudo. BTW, when i try to open the file manager as root, it say the conversation with su have fail; how can i correct this? OS: amd64, desktop: kde, OpenBSD version: 4.4 -- jake...@sdf.lonestar.org SDF Public Access UNIX System - http://sdf.lonestar.org
Re: dvd-rw as user?
El miC), 01-04-2009 a las 16:14 +1300, richardtoo...@paradise.net.nz escribiC3: Quoting OpenBSD openbbs...@gmail.com: Hello Could somebody please tell me how to use a dvd-rw as user? I'am trying to install Slackware using qemu, and the dvd does not work properly, it works well as root. I've tried adding the user to operator group, users group, and declaring it at fstab without optimum results. BTW, when i try to open the file manager as root, it say the conversation with su have fail; how can i correct this? OS: amd64, desktop: kde, OpenBSD version: 4.4 -- OpenBSD openbbs...@gmail.com Did you search the archives? http://marc.info/?l=openbsd-miscw=2r=1s=conversationq=b Nop, i did not know how to do it, thank for the link! After i searched the archives, i got an idea, creating a dvd group and adding user to it. i do not have any problem mounting the dvd, as root or at user desktop; the problem is when i do $ qemu -hda slackware.img -cdrom /dev/cd0a -boot d -m 128, at this time the dvd has been mounted by root, and it fails accessing the dvd. PS: I can read files at the mounted dvd, when qemu fails.