X-CD-Roast 0.98alpha13 ---------------------- The non-root mode allows that X-CD-Roast can be started by any user and not only by "root". Please note that X-CD-Roast 0.98alpha13 can configure the non-root mode fully automatic. At the first startup as root you will be prompted to enable the non-root mode. But you can always enable and disable the non-root mode again in the setup menu. So these instruction here are just for curious and not required to use the non-root mode of X-CD-Roast. Distribution-vendors: No need to patch X-CD-Roast to disable non-root mode! By default X-CD-Roast comes now without any special groups or suid/sgid-bits! Instructions for non-root setup (If you prefer not to use the automatic!) ----------------------------------------- If you do not want to let other users use X-CD-Roast, you are free to skip all these instructions and just start X-CD-Roast always as root. Please change the permissions according to this README to allow normal users to run X-CD-Roast. We have to create a new group "xcdwrite". Note: DO NOT PUT ANY USERS INTO THAT GROUP. This was common error people made for alpha7. Do not change any group for any user. Just create this group. Nothing more. The new wrapper becomes now set-gid xcdwrite, which allows access to all cdrecord-tools. Because all cdrecord-tools are suid-root, they have full access to the generic-scsi-devices. X-CD-Roast can now decide which user is allowed to burn, by checking the configuration the root user created. Details about this later... Setting the permissions ----------------------- Please install cdrecord-1.11 now. You can copy the binaries to $PREFIX (e.g. /usr/bin or /usr/local/bin) or to the library-directory of xcdroast (e.g. /usr/local/lib/xcdroast-0.98/bin). X-CD-Roast will look in both dirs. This is described in detail in the README-file. On most current distributions cdrecord-1.11 should already pre-installed in /usr/bin. In this case you have to set the $PREFIX to /usr in the Makefile. Or use your private copies of cdrecord-1.11 in the lib-dir of X-CD-Roast (or set $CDRTOOLS_PREFIX to /usr). As result you may have an installation like this: -rwxr-xr-x 1 root root 168828 Aug 8 20:17 /usr/bin/cdrecord -rwxr-xr-x 1 root root 169308 Aug 8 20:17 /usr/bin/cdda2wav -rwxr-xr-x 1 root root 324220 Aug 8 20:17 /usr/bin/mkisofs -rwxr-xr-x 1 root root 90812 Aug 8 20:17 /usr/bin/readcd In Linux the generic-scsi-devices should look something like this: (Most possible this does look different on non-linux-systems. The non-root-mode was only tested on Linux and may not work on other systems yet.) crw------- 1 root sys 21, 2 Aug 24 11:00 /dev/sg0 crw------- 1 root sys 21, 2 Aug 24 11:00 /dev/sg1 crw------- 1 root sys 21, 2 Aug 24 11:00 /dev/sg2 ... Now run the following commands to set the special permissions needed for X-CD-Roast: /usr/sbin/groupadd xcdwrite cd /usr/bin; # OR cd /usr/local/bin - whatever chown root:xcdwrite cdrecord cdda2wav mkisofs readcd chmod 4710 cdrecord cdda2wav mkisofs readcd (Adds a new group "xcdwrite" to the system and makes all the cdrecord- binaries only runable by root or somebody in the xcdwrite group) This is the result: -rws--x--- 1 root xcdwrite 169308 Aug 8 20:17 /usr/bin/cdda2wav -rws--x--- 1 root xcdwrite 168828 Aug 8 20:17 /usr/bin/cdrecord -rws--x--- 1 root xcdwrite 324220 Aug 8 20:17 /usr/bin/mkisofs -rws--x--- 1 root xcdwrite 90812 Aug 8 20:17 /usr/bin/readcd Any users which are in group xcdwrite can now start all the cdwriting-tools. (Again, for X-CD-Roast it is not necessary to put any users manually into the xcdwrite group! X-CD-Roast does handle that with the sgid-bit on the wrapper) Therefore all we have to do, is to put the wrapper into that group and we are fine. This is done with the following commands: After a make install the wrapper was installed in /usr/local/lib/xcdroast-0.98/bin or /usr/lib/xcdroast-0.98/bin Please change now to the corresponding directory and enter: chown root:xcdwrite xcdrwrap chmod 2755 xcdrwrap Usage of the non-root-mode -------------------------- After X-CD-Roast was installed and all the permissions set correctly, it can be started. The first time root have to start it, to create the root-configuration-file /etc/xcdroast.conf. Without this file, a normal user will get an error message. Root gets a new menu in setup, which allows him to define which users can start X-CD-Roast on which hosts. There is also the possibility of defining how much a user is allowed to change in the setup-menu. It's possible that a normal user should not be able to change the cdwriter-device or the directory where image-files are created in. These settings apply to ALL allowed users. Please see the tooltip-help for a detailed description of each option. After root saved the configuration, all normal users (which have been given permission by root via the setup) can start up X-CD-Roast. If root denied them access to some options in the setup, then this options are greyed out, and cannot be changed. Thats all - please point out any security problems. I tested this only on Linux-systems, I am not sure if this works on other platforms. If you use a non-Linux system and get X-CD-Roast running fine as non-root user, please send me a detailed description of all changes. 01.01.2003 Thomas Niederreiter (tn@xcdroast.org)