Re: CD burning and root

[Andrew Sobala <andrew sobala net>]

> On Fri, 20 Dec 2002 textshell neutronstar dyndns org wrote:
> 
> > On Fri, Dec 20, 2002 at 03:09:49AM -0500, Alexander Larsson wrote:
> > > On Thu, 19 Dec 2002 textshell neutronstar dyndns org wrote:
> > > 
> > > > On Thu, Dec 19, 2002 at 03:55:05AM -0500, Alexander Larsson wrote:
> > > > > On 18 Dec 2002, Andrew Sobala wrote:
> > > > > 
> > > > > > Is there a way to give the application root permissions yet allow it to
> > > > > > access a user's burn:/// folder? Does this need to be implemented in the
> > > > > > code itself? It really needs to be addressed before it becomes a viable
> > > > > > CD burning utility (I know it's still alpha), and could something that
> > > > > > needs addressing at a lower level in GNOME.
> > > > > 
> > > > > You need to give the user write access to the cd writer device. This can 
> > > > > be done in various ways, on pam-based distros it typically will be done 
> > > > > using console.perms. 
> > > > > 
> > > > 
> > > > Hmm, I think this kind of stuff (write permission to generic scsi devices) is
> > > > quite distro and site specific and potentially also dangerous. So i would
> > > > appreciate if we could have a (documented) way for root to burn stuff for the
> > > > users. If you feel that is a option that just works around solveble problems
> > > > just document the right way, but I'm almost completly sure that there are good
> > > > reasons for a system administrator not to allow user access to the cd recorder.
> > > 
> > > Exactly what do you want? You can easily tell the user to burn to an iso 
> > > using nautilus-cd-burner, and then root can burn it. Or do you want the 
> > > user to launch cdrecord as root after typing in the password? That strikes 
> > > me as more dangerous then having access to the cd scsi device.
> > > 
> > > Anyway, I'd love to hear other ideas how this can be handled. Possible 
> > > solutions i know of are:
> > > consoles.perms, making a cdwriter group, setuid or setguid cdrecord.
> > > 
> > 
> > My idea is that root or someone with enough permissons can just open another
> > users burn:/// folder and use the normal nautilus-cd-burner user interface. That
> > would ease things for the admins/sysops that don't really know much about Linux
> > / Gnome etc. but just have to get their work done.
> > 
> > That is IMHO what Andrew Sobala asked for: Some way for root the see a normal
> > users burn:///. This way the admin can easyly check what's written to the CD and
> > my do somechanges.
> 
> I plan to eventually write a companion app the copies disk-to-disk and 
> iso-to-disk. With that written the user could just use n-c-b to generate 
> the iso and root could do the iso-to-disk using the other app.

Imagine a single user home desktop machine. The user drags things into
his burn:///. He doesn't have CD access because the GNU/Linux
distribution is also aimed at businesses where this would not be a
desirable default. IMHO he should be able to open nautilus-cd-burner,
enter a root password as required by PAM, and burn the CD. The extra
step of having to create an ISO first, then burn it as root, is a step
that shouldn't need to be exposed to the user.

But maybe non-brain-dead CD drive access defaults would be the better
solution.

-- 
Andrew

-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GS/M d--(-) s: a17 C++(+++) UL+ P++ L+++ E--- W+>++ N(-) o? K? w--(---) !O M V-
PS+ PE Y+ PGP+>++++ t@ 5-- X- R tv-@ b++++ DI+++ D>---- G- e- h! r--- y?
------END GEEK CODE BLOCK------