X-CD-Roast 0.98 alpha9
----------------------
Instructions for non-root setup
-------------------------------
Beginning with the alpha7 it was possible to start X-CD-Roast as
normal user. This is only possible by setting a bunch of permissions
correctly - however X-CD-Roast itself does NOT need the suid-root bit,
which is very good for the security-reasons. The suid-root bit is
nevertheless required on cdrecord, cdda2wav, mkisofs and readcd.
All these programs have special handling for this case and drop the
root rights immediately after initialization.
As GTK+ 1.2.9 was released the non-root mode stopped to work - the
security checks of the new GTK were prohibiting any suid or guid usage.
Alpha9 now comes with a special wrapper executable, which gets the
guid-bit set, and X-CD-Roast itself is free of any special modes.
If you do not want to let other users use X-CD-Roast, you are free
to skip all these instructions and just start X-CD-Roast always as root.
X-CD-Roast will display some warnings in this case, but run fine.
Please change the permissions according to this README to allow
normal users to run X-CD-Roast.
We have to create a new group "cdwrite".
Note: DO NOT PUT ANY USERS INTO THAT GROUP. This was common error
people made for alpha7. Do not change any group for any user.
Just create this group. Nothing more.
Note by Debian maintainer:
I decide to use "cdrom" group on Debian.
So please read bellow as sed -e 's/cdwrite/cdrom/g' ;)
DO NOT CHANGE THE GENERIC SCSI DEVICES!
If you had made them writeable for group cdwrite for alpha7, restore
their permissions NOW!
chgrp sys /dev/sg* (or whatever group they were..)
chmod 600 /dev/sg*
Note by Debian maintainer:
On Debian, Normaly /dev/sg*'s permission is likes bellow:
crw------- 1 root root 21, 0 Apr 6 23:59 /dev/sg0
crw------- 1 root root 21, 1 Apr 6 23:59 /dev/sg1
crw------- 1 root root 21, 10 Apr 6 23:59 /dev/sg10
......
The new wrapper becomes now set-gid cdwrite, which allows access to all
cdrecord-tools. Because all cdrecord-tools are suid-root, they have
full access to the generic-scsi-devices.
X-CD-Roast can now decide which user is allowed to burn, by checking the
configuration the root user created. Details about this later...
Setting the permissions
-----------------------
Please install cdrecord-1.10 now. You can copy the binaries
to $PREFIX (e.g. /usr/bin or /usr/local/bin) or to the library-directory
of xcdroast (e.g. /usr/local/lib/xcdroast-0.98/bin). X-CD-Roast will look
in both dirs. This is described in detail in the README-file.
On most current distributions cdrecord-1.10 should already pre-installed
in /usr/bin. In this case you have to set the $PREFIX to /usr in the
Makefile. Or use your private copies of cdrecord-1.10 in the lib-dir
of X-CD-Roast (or set $CDRTOOLS_PREFIX to /usr).
As result you may have an installation like this:
-rwxr-xr-x 1 root root 168828 Aug 8 20:17 /usr/bin/cdrecord
-rwxr-xr-x 1 root root 169308 Aug 8 20:17 /usr/bin/cdda2wav
-rwxr-xr-x 1 root root 324220 Aug 8 20:17 /usr/bin/mkisofs
-rwxr-xr-x 1 root root 90812 Aug 8 20:17 /usr/bin/readcd
In Linux the generic-scsi-devices should look like this:
(Most possible this does look different on non-linux-systems.
The non-root-mode was only tested on Linux and may not work
on other systems yet.)
crw------- 1 root sys 21, 2 Aug 24 11:00 /dev/sg0
crw------- 1 root sys 21, 2 Aug 24 11:00 /dev/sg1
crw------- 1 root sys 21, 2 Aug 24 11:00 /dev/sg2
...
If the generic-devices look different for you (e.g. still with group
"cdwrite" and read/write able for group), then please restore the
permissions as shown above)
Now run the following commands to set the special permissions needed
for X-CD-Roast:
/usr/sbin/groupadd cdwrite
cd /usr/bin; # OR cd /usr/local/bin - whatever
chown root:cdwrite cdrecord cdda2wav mkisofs readcd
chmod 4710 cdrecord cdda2wav mkisofs readcd
(Adds a new group "cdwrite" to the system and makes all the cdrecord-
binaries only runable by root or somebody in the cdwrite group)
This is the result:
-rws--x--- 1 root cdwrite 169308 Aug 8 20:17 /usr/bin/cdda2wav
-rws--x--- 1 root cdwrite 168828 Aug 8 20:17 /usr/bin/cdrecord
-rws--x--- 1 root cdwrite 324220 Aug 8 20:17 /usr/bin/mkisofs
-rws--x--- 1 root cdwrite 90812 Aug 8 20:17 /usr/bin/readcd
Any users which are in group cdwrite can now start all the cdwriting-tools.
(Again, for X-CD-Roast it is not necessary to put any users manually into
the cdwrite group! X-CD-Roast does handle that with the sgid-bit on the
wrapper)
Therefore all we have to do, is to put the wrapper into that group and we are
fine. This is done with the following commands:
After a make install the wrapper was installed in
/usr/local/lib/xcdroast-0.98/bin or /usr/lib/xcdroast-0.98/bin
Please change now to the corresponding directory and enter:
chown root:cdwrite xcdrwrap
chmod 2755 xcdrwrap
(Alternatively you can do a "make perms" which does set this permissions
automatically after a "make install" was done.)
Usage of the non-root-mode
--------------------------
After X-CD-Roast was installed and all the permissions set correctly,
it can be started.
The first time root have to start it, to create the root-configuration-file
/etc/xcdroast.conf. Without this file, a normal user will get an error
message.
Root gets a new menu in setup, which allows him to define which users can
start X-CD-Roast on which hosts. There is also the possibility of defining
how much a user is allowed to change in the setup-menu.
It's possible that a normal user should not be able to change the
cdwriter-device or the directory where image-files are created in. These
settings apply to ALL allowed users.
Please see the tooltip-help for a detailed description of each option.
After root saved the configuration, all normal users (which have
been given permission by root via the setup) can start up X-CD-Roast.
If root denied them access to some options in the setup, then this
options are greyed out, and cannot be changed.
Thats all - please point out any security problems. I tested this
only on Linux-systems, I am not sure if this works on other platforms.
If you use a non-Linux system and get X-CD-Roast running fine as non-root
user, please send me a detailed description of all changes.
15.07.2001 Thomas Niederreiter (tn@xcdroast.org)