View previous topic :: View next topic |
Author |
Message |
DerCorny Retired Dev
![Retired Dev Retired Dev](/images/ranks/rank-retired.gif)
Joined: 26 Jun 2005 Posts: 14 Location: Oberhausen, Germany
|
Posted: Sun Jul 24, 2005 2:33 pm Post subject: |
|
|
While waiting for an advise of the maintainer, think about: is this a bug or a feature? Ever thought about that you might not be supposed to add normal users to group "disk"? |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
apache n00b
![n00b n00b](/images/ranks/rank_rect_0.gif)
Joined: 20 Jul 2004 Posts: 60 Location: Austria
|
Posted: Sun Jul 24, 2005 2:53 pm Post subject: |
|
|
DerCorny wrote: | While waiting for an advise of the maintainer, think about: is this a bug or a feature? Ever thought about that you might not be supposed to add normal users to group "disk"? |
To my mind, disk should have root:root permissions beside you need others, but that should be set by root and not by default. Due to the recently udev permission problems some users added their standard account to group disk or they just did it because they think being in group disk gives you some speed improvement or something else ...
Again, if somebody needs that particular permissions, he knows why he needs it and can set it by himself. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
Gergan Penkov Veteran
![Veteran Veteran](/images/ranks/rank_rect_5_vet.gif)
![](images/avatars/210657101844dcb58191253.gif)
Joined: 17 Jul 2004 Posts: 1464 Location: das kleinste Kuhdorf Deutschlands :)
|
Posted: Sun Jul 24, 2005 3:45 pm Post subject: |
|
|
Ok, I have this objection to the feature-idea. The disc group is thought of as a last resort to reduce the possible security implication in the need of giving somebody raw access to some disc or partition. Examples: central deployed servers with vmware(qemu) and read,write access to one partition/special disc for the user, archiving software with only partition/disc-readonly access running as a cron-job and so on. This means if someone coming from another distribution makes it the same way on gentoo, he is giving an unprivileged user all the access, which he/she is needing to ruin the system. And why giving somebody or some group a simple way for privilige-escalation, all the users in disc group could simply change /etc/passwd line for root to sth like root::... instead of root:x:... (I think this was the way, if not it is that easy) and receive passwordless access?
[EDIT] I mean it with sth like dd if=..|sed ...|dd of=..., not that I think, someone could change it with vi or gedit (the partitions have the correct permissions)) :: )) _________________ "I knew when an angel whispered into my ear,
You gotta get him away, yeah
Hey little bitch!
Be glad you finally walked away or you may have not lived another day."
Godsmack |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
apache n00b
![n00b n00b](/images/ranks/rank_rect_0.gif)
Joined: 20 Jul 2004 Posts: 60 Location: Austria
|
Posted: Sun Jul 24, 2005 4:43 pm Post subject: |
|
|
The reason why this group exists is clear and it makes sense but as Gergan said already it can be used to alter data or just erase the disk. Although this group should be used only for administrative objectives and therefore it should be assigned to users only if really needed. But fact is, that there is no warning about that in the gentoo manual and every users can be assigned to that group without any warnings.
It's nearly the same like the cdrom and cdrw group, users select this group because they need access to their cdrom and want to brun cds and some may think: Hey, I need access to my drives, so I need to be in disk group. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
DerCorny Retired Dev
![Retired Dev Retired Dev](/images/ranks/rank-retired.gif)
Joined: 26 Jun 2005 Posts: 14 Location: Oberhausen, Germany
|
Posted: Sun Jul 24, 2005 4:46 pm Post subject: |
|
|
Ok, I'm saying this without any specific knowledge of udev and so on - so chances are (and history shows ) that i'm completely wrong with this - so don't flame me if I'm wrong. Better wait for real comments from the udev gods.
But you said yourself: "disk" group is a dangerous group and should be considered as a very last resort. This implies that _no_ normal, untrusted and unprivileged users should be in this group. Putting all disks into the "disk" group offers the advantage that we can now allow trusted users raw disk access without putting them into the "root" group.
I can hardly protect users from doing not-so-smart things. And putting users in $DANGEROUS_GROUP is such a thing. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
Gergan Penkov Veteran
![Veteran Veteran](/images/ranks/rank_rect_5_vet.gif)
![](images/avatars/210657101844dcb58191253.gif)
Joined: 17 Jul 2004 Posts: 1464 Location: das kleinste Kuhdorf Deutschlands :)
|
Posted: Sun Jul 24, 2005 5:09 pm Post subject: |
|
|
Don't get me wrong. I also don't want to start a flame war, it probably should simply be documented (as apache said) and there must be warnings in the emerge process, because it is a major change in priviliges of a group.
I think that there must be a gentoo policy concerning and explaining the groups, which are used from various packages and the base system, because it is possible for an uninformed sys-admin to open a security hole in the system. _________________ "I knew when an angel whispered into my ear,
You gotta get him away, yeah
Hey little bitch!
Be glad you finally walked away or you may have not lived another day."
Godsmack |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
apache n00b
![n00b n00b](/images/ranks/rank_rect_0.gif)
Joined: 20 Jul 2004 Posts: 60 Location: Austria
|
Posted: Sun Jul 24, 2005 6:19 pm Post subject: |
|
|
Gergan Penkov wrote: | I think that there must be a gentoo policy concerning and explaining the groups, which are used from various packages and the base system, because it is possible for an uninformed sys-admin to open a security hole in the system. |
Exactly, that's what I thought too. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
drphibes Guru
![Guru Guru](/images/ranks/rank_rect_3.gif)
![](images/avatars/gallery/Quake3/quake3_cadaver.gif)
Joined: 30 Nov 2004 Posts: 432
|
Posted: Sun Jul 24, 2005 6:27 pm Post subject: |
|
|
DerCorny wrote: | Ok, I'm saying this without any specific knowledge of udev and so on - so chances are (and history shows ) that i'm completely wrong with this - so don't flame me if I'm wrong. Better wait for real comments from the udev gods.
But you said yourself: "disk" group is a dangerous group and should be considered as a very last resort. This implies that _no_ normal, untrusted and unprivileged users should be in this group. Putting all disks into the "disk" group offers the advantage that we can now allow trusted users raw disk access without putting them into the "root" group.
I can hardly protect users from doing not-so-smart things. And putting users in $DANGEROUS_GROUP is such a thing. |
The problem, er rather the discussion, seems to be a perceived change in the semantics of being a member of group disk. I must admit that my notion of membership in that group had more to do with granting ordinary users write access to removable disk media. Now this membership seems to have more "strength." I agree the bug should have been submitted if for no other reason than to let Greg know that we are debating this point now. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
apache n00b
![n00b n00b](/images/ranks/rank_rect_0.gif)
Joined: 20 Jul 2004 Posts: 60 Location: Austria
|
Posted: Mon Jul 25, 2005 5:27 am Post subject: |
|
|
drphibes wrote: | I agree the bug should have been submitted if for no other reason than to let Greg know that we are debating this point now. |
And unfortunately a bug report is nearly the only way to do this. I just gave an example (so that the report has not been deleted immediately) and pointed to that thread. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
drphibes Guru
![Guru Guru](/images/ranks/rank_rect_3.gif)
![](images/avatars/gallery/Quake3/quake3_cadaver.gif)
Joined: 30 Nov 2004 Posts: 432
|
Posted: Mon Jul 25, 2005 7:59 pm Post subject: |
|
|
bit of a flame war going on in that bug report ... so let's reason this out. i have no problem removing disk from ordinary users' group lists. but, i need to give them rw access to my usb writer /dev/dvd -> /dev/sr0 which udev currently creates as root/disk w/perms 660. i note there is no dvd group in /etc/group, but there is cdrom and cdrw. i suppose i could change the gid on sr0 to cdrw, or add a 'dvd' group and use that gid, then grant dvd or cdrw membership to ordinary users an be done with group disk as far as they are concerned. btw why isn't there a 'dvd' group?
also i do think that the partition devices (e.g. hda[1-9]) and whole disk device (e.g. hda) should be in the same group, WHATEVER that ends up being, i.e. disk or root. it makes little sense to have them in different groups. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
drphibes Guru
![Guru Guru](/images/ranks/rank_rect_3.gif)
![](images/avatars/gallery/Quake3/quake3_cadaver.gif)
Joined: 30 Nov 2004 Posts: 432
|
Posted: Tue Aug 02, 2005 5:06 pm Post subject: |
|
|
thread renamed: [59-65]
My system hangs during boot on "Setting system clock to hardware clock [Local TIme] ..." after upgrade to udev-064-r1. I had to boot from a CD and downgrade to udev-063 to straighten it out. I'll post another bug report.
I am masking off >= 064.
EDIT: bug# 101110 posted
Last edited by drphibes on Thu Aug 04, 2005 12:53 am; edited 1 time in total |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
eltino n00b
![n00b n00b](/images/ranks/rank_rect_0.gif)
Joined: 29 Apr 2005 Posts: 44 Location: Martinique
|
Posted: Thu Aug 04, 2005 12:52 am Post subject: |
|
|
udev-065 is back to taking cdrom devices out of the cdrom group... back to root:disk... Hell, such a small little package... |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
zerb Tux's lil' helper
![Tux's lil' helper Tux's lil' helper](/images/ranks/rank_rect_1.gif)
![](images/avatars/1459345814075239ebba9e.jpg)
Joined: 07 Aug 2003 Posts: 145 Location: Germany
|
Posted: Sat Aug 06, 2005 2:57 pm Post subject: |
|
|
The same thing has been bugging me too. Why did they take cdrom devices out of that group in the first place? |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
gimpel Advocate
![Advocate Advocate](/images/ranks/rank-G-1-advocate.gif)
![](images/avatars/129086950243c7024511c31.jpg)
Joined: 15 Oct 2004 Posts: 2720 Location: Munich, Bavaria
|
Posted: Sat Aug 06, 2005 3:08 pm Post subject: |
|
|
indeed 065 is fucked up again, back to 063 here.. works flawlessly
i really liked the "old" way most where one could set things in permissions.d.
for example: you want dvd drive be accessible for group cdrom, but burner only for group cdrw... how the fscking heck can that be done atm? setting up custom rules for hdc and hdd in 10-local.rules is useless, and it really should be possible to adjust that easily, shouldn't it? _________________ http://proaudio.tuxfamily.org/wiki - pro-audio software overlay
|
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
drphibes Guru
![Guru Guru](/images/ranks/rank_rect_3.gif)
![](images/avatars/gallery/Quake3/quake3_cadaver.gif)
Joined: 30 Nov 2004 Posts: 432
|
Posted: Sat Aug 06, 2005 5:00 pm Post subject: |
|
|
gimpel wrote: | indeed 065 is fucked up again, back to 063 here.. works flawlessly
i really liked the "old" way most where one could set things in permissions.d.
for example: you want dvd drive be accessible for group cdrom, but burner only for group cdrw... how the fscking heck can that be done atm? setting up custom rules for hdc and hdd in 10-local.rules is useless, and it really should be possible to adjust that easily, shouldn't it? |
065 is a mess, true. I am using 063 also. I have a custom rule for my burner to put it in cdrw. Try these local rules:
Code: | BUS=="ide", KERNEL="hdc", PROGRAM="/etc/udev/scripts/cdsymlinks.sh %k", SYMLINK+="%c{1} %c{2} %c{3} %c{4} %c{5} %c{6}", NAME="%k", GROUP:="cdrom"
BUS=="ide", KERNEL="hdd", PROGRAM="/etc/udev/scripts/cdsymlinks.sh %k", SYMLINK+="%c{1} %c{2} %c{3} %c{4} %c{5} %c{6}", NAME="%k", GROUP:="cdrw" |
assuming you meant hdc=cdrom and hdd=cdrw. That should create these devices in the right GROUP, while creating the useful symlinks also. Note GROUP:= syntax and not GROUP= (the := syntax means "cut" -- do not process any subsequent GROUP= matches for this device). |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
gimpel Advocate
![Advocate Advocate](/images/ranks/rank-G-1-advocate.gif)
![](images/avatars/129086950243c7024511c31.jpg)
Joined: 15 Oct 2004 Posts: 2720 Location: Munich, Bavaria
|
Posted: Sun Aug 07, 2005 4:33 pm Post subject: |
|
|
humm, my current 10-local.rules is:
Quote: | BUS="ide", KERNEL="hdc", PROGRAM="/etc/udev/scripts/cdsymlinks.sh %k", SYMLINK="%c{1} %c{2} %c{3} %c{4} %c{5} %c{6}", GROUP="cdrom", MODE="0660"
BUS="ide", KERNEL="hdd", PROGRAM="/etc/udev/scripts/cdsymlinks.sh %k", SYMLINK="%c{1} %c{2} %c{3} %c{4} %c{5} %c{6}", GROUP="cdrw", MODE="0660"
|
so looks like i use a wrong syntax? BUS==? Group:=? very weird...
well, with your syntax it works!
didn't know about the cut in GROUP..
thx dude! ![Smile :)](images/smiles/icon_smile.gif) _________________ http://proaudio.tuxfamily.org/wiki - pro-audio software overlay
|
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
drphibes Guru
![Guru Guru](/images/ranks/rank_rect_3.gif)
![](images/avatars/gallery/Quake3/quake3_cadaver.gif)
Joined: 30 Nov 2004 Posts: 432
|
Posted: Sun Aug 07, 2005 5:10 pm Post subject: |
|
|
I think the NAME key is always "terminal" as a far as the udev rule-chaining is concerned, i.e. the NAME specifier will be ignored on a rule that matches later. Other keys like GROUP, however, keep chaining along until the last match is met and then that one is used. Thus the := syntax (see man udev). I was using the old prolog term "cut" as an analogy. You'll have to experiment with the other keys to see which ones might require "cut" syntax. The == is just like c/c++, a comparison for equality, whereas = is assignment. Obviously you want to match on the BUS key, not assign it.
Anyhow, glad it works. Wish I could say the same for 065. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
RaZoR1394 Guru
![Guru Guru](/images/ranks/rank_rect_3.gif)
![](images/avatars/207374846849a0665133a20.jpg)
Joined: 09 Jan 2005 Posts: 356
|
Posted: Mon Aug 08, 2005 9:43 am Post subject: |
|
|
udev 065 messed up my CD/DVD devices as well. 064 and 064-r1 are the ones which works best for me as the kde system sounds finally works so I downgraded to 064-r1. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
Hobbit_HK n00b
![n00b n00b](/images/ranks/rank_rect_0.gif)
Joined: 11 Nov 2004 Posts: 54 Location: Israel
|
Posted: Tue Aug 09, 2005 9:17 am Post subject: |
|
|
Works for me on 065:
Code: |
BUS=="ide", KERNEL=="hdc", GROUP:="cdrom", MODE:="0660", PROGRAM="/etc/udev/scripts/cdsymlinks.sh %k", SYMLINK="%c{1} %c{2} %c{3} %c{4} %c{5} %c{6}"
BUS=="ide", KERNEL=="hdd", GROUP:="cdrom", MODE:="0660", PROGRAM="/etc/udev/scripts/cdsymlinks.sh %k", SYMLINK="%c{1} %c{2} %c{3} %c{4} %c{5} %c{6}"
|
_________________ - Hobbit HK
Don't use stage1\2 tarballs
Do a stage1 install from a stage3 tarball |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
seppelrockt Guru
![Guru Guru](/images/ranks/rank_rect_3.gif)
Joined: 14 May 2004 Posts: 423
|
Posted: Tue Aug 09, 2005 9:48 am Post subject: |
|
|
drphibes wrote: |
065 is a mess, true. I am using 063 also. I have a custom rule for my burner to put it in cdrw. Try these local rules:
Code: | BUS=="ide", KERNEL="hdc", PROGRAM="/etc/udev/scripts/cdsymlinks.sh %k", SYMLINK+="%c{1} %c{2} %c{3} %c{4} %c{5} %c{6}", NAME="%k", GROUP:="cdrom"
BUS=="ide", KERNEL="hdd", PROGRAM="/etc/udev/scripts/cdsymlinks.sh %k", SYMLINK+="%c{1} %c{2} %c{3} %c{4} %c{5} %c{6}", NAME="%k", GROUP:="cdrw" |
assuming you meant hdc=cdrom and hdd=cdrw. That should create these devices in the right GROUP, while creating the useful symlinks also. Note GROUP:= syntax and not GROUP= (the := syntax means "cut" -- do not process any subsequent GROUP= matches for this device). |
I have tried your custom rule no. 1 with udev-058 with no sucess. I have my dvd-cdrw combo at /dev/sr0 and the group is wrongly set to disk. Of cause I have changed the rule to "scsi" and "sr0". When I just add GROUP="cdrom" to the line in 50-udev.rules it works, however. Why not with 10-local.rules?
Second, I need permissions for /dev/sg1, too for audiocd playback but could not find a rule in 50-udev-rules so I'm not sure how my custom line should look like. Is the BUS="scsi" too (as this is scsi emulation I think)?
Are there any advantages in udev-063 over 058? |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
Hobbit_HK n00b
![n00b n00b](/images/ranks/rank_rect_0.gif)
Joined: 11 Nov 2004 Posts: 54 Location: Israel
|
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
seppelrockt Guru
![Guru Guru](/images/ranks/rank_rect_3.gif)
Joined: 14 May 2004 Posts: 423
|
Posted: Tue Aug 09, 2005 11:09 am Post subject: |
|
|
I already had group:= in it but it didn't work. I have tried two different versions, the first (now in cooments) is from this post and the second is the line from the original 50-udev-rules + group:= argument at the end - neither worked. Looks like 10-local-rules is not used at all?
Code: | ~ # cat /etc/udev/rules.d/10-local.rules
# This custom udev rules should hopefully fix my group permission problems for the DVD-CDRW Combo on Dell I6000
# For further information see http://forums.gentoo.org/viewtopic-t-355069-postdays-0-postorder-asc-start-75.html
#BUS=="scsi", KERNEL="sr0", PROGRAM="/etc/udev/scripts/cdsymlinks.sh %k", SYMLINK+="%c{1} %c{2} %c{3} %c{4} %c{5} %c{6}", GROUP:="cdrom"
BUS="scsi", KERNEL="sr[0-9]*", PROGRAM="/etc/udev/scripts/cdsymlinks.sh %k", SYMLINK="%c{1} %c{2} %c{3} %c{4} %c{5} %c{6}", GROUP:="cdrom" |
Where does udev put the log? I have enabled logging but there is nothing in /var/log and dmesg |grep -i udev doesn't show anything. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
Hobbit_HK n00b
![n00b n00b](/images/ranks/rank_rect_0.gif)
Joined: 11 Nov 2004 Posts: 54 Location: Israel
|
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
seppelrockt Guru
![Guru Guru](/images/ranks/rank_rect_3.gif)
Joined: 14 May 2004 Posts: 423
|
Posted: Tue Aug 09, 2005 11:27 am Post subject: |
|
|
Hobbit_HK wrote: | Udev is supposed to use syslog, so maybe check log/everything to something..
And try to use == and not = in your comprasions. |
As you can see in my previous post of 10-local-rules I used == in the first try (now commented) - didn't help. To avoid syntax errors I tried the group:="cdrom" instead of group="cdrom" in the 50-udev-rules and it doesn't work. Only = works here, so maybe there a syntax changes after udev-058?
This would meen, how do I tell udev not to overwrite entries from 10-local-rules? I commented out the line in 50-* regarding my cdrom and set in in 10-* (with GROUP="cdrom") to find out whether 10-* works but is overwritten by 50-*, but no success. Seems like 10-* is still not used. Do I have to do something else to tell udev to regarde my custom rules? Permissions for 10-* are right, btw. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
Hobbit_HK n00b
![n00b n00b](/images/ranks/rank_rect_0.gif)
Joined: 11 Nov 2004 Posts: 54 Location: Israel
|
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
|