cdrecord as normal user - Slackware

This is a discussion on cdrecord as normal user - Slackware ; Niki Kovacs wrote: > Well, more often than not, I wish I had none. There's that old lady, > Madame Bancel. She's a retired school teacher, helping out in the public > library every wednesday morning. After a few hours ...

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2
Results 21 to 38 of 38

Thread: cdrecord as normal user

  1. Re: cdrecord as normal user

    Niki Kovacs wrote:
    > Well, more often than not, I wish I had none. There's that old lady,
    > Madame Bancel. She's a retired school teacher, helping out in the public
    > library every wednesday morning. After a few hours of right-and-left
    > single-and-double-clicking on every conceivable and inconceivable part of
    > the screen, my carefully configured XFCE desktop looks like the Hilton
    > Suite after a party with Metallica and two dozens of groupies.


    there's currently a thread on the xfce general mailing list about setting
    up xfce for multiple users, and using kiosk functionality, etc. perhaps
    there's something there that you might be able to use to keep your madame
    bancel from partying like metallica?

    archives to be found here:



    it's a current discussion, subject is "How to customize panel items via
    ssh".


    --
    Joost Kremers joostkremers@yahoo.com
    Selbst in die Unterwelt dringt durch Spalten Licht
    EN:SiS(9)

  2. Re: cdrecord as normal user

    On 2007-10-08, Joost Kremers wrote:
    > Niki Kovacs wrote:
    >> Well, more often than not, I wish I had none. There's that old lady,
    >> Madame Bancel. She's a retired school teacher, helping out in the public
    >> library every wednesday morning. After a few hours of right-and-left
    >> single-and-double-clicking on every conceivable and inconceivable part of
    >> the screen, my carefully configured XFCE desktop looks like the Hilton
    >> Suite after a party with Metallica and two dozens of groupies.

    >
    > there's currently a thread on the xfce general mailing list about setting
    > up xfce for multiple users, and using kiosk functionality, etc. perhaps
    > there's something there that you might be able to use to keep your madame
    > bancel from partying like metallica?
    >
    > archives to be found here:
    >
    >
    >
    > it's a current discussion, subject is "How to customize panel items via
    > ssh".


    Hehe - I was just about to refer Niki to that thread :-)

    RW

  3. Re: cdrecord as normal user

    Kees Theunissen wrote:
    > Joseph H. Rosevear wrote:


    [snip]

    > I see three *big* security issues with this.


    Thanks, Kees, I hadn't thought much about security. Let me reply to
    you objections.

    > First you run the user owned script ~/prep with root privilege. A
    > user can simply put any command (s)he likes to run as root in that
    > script.


    Niki's users probably wouldn't need access to prep, so make it
    root:root 700.

    > Second using this scripts you'll run the user's $HOME/.bashrc
    > with root privilege. So a user can also put any command (s)he likes
    > in .bashrc and run that command as root.


    Again, the users probably wouldn't need access. Make .bashrc
    root:root 644.

    > Third you trust the command line supplied by the user. This is yet
    > an other way for the user to specify any command to be run as root.
    > A user could call the k_burnit script for instance as:
    > sudo k_burnit 'blah;/bin/bash'
    > to get a root shell as k_burnit will run in this case:
    > ~/prep burnit blah;/bin/bash


    See my second version (already posted) called k_burnit2.

    It went like this:

    k_burnit2:

    #!/bin/sh
    ~/prep burnit2 $*

    But burnit2 uses no arguments so I should have written it like this:

    k_burnit2:

    #!/bin/sh
    ~/prep burnit2

    > Regards,


    > Kees.


    Thanks for your help, Kees.

    -Joe

  4. Re: cdrecord as normal user

    Niki Kovacs wrote:
    > Le Mon, 08 Oct 2007 02:47:54 +0000, Joseph Rosevear a ?crit?:
    >
    >> Wow. Sounds like you have an honorable task before you. I often wish I
    >> had users.

    >
    > Well, more often than not, I wish I had none. There's that old lady,
    > Madame Bancel. She's a retired school teacher, helping out in the public
    > library every wednesday morning. After a few hours of right-and-left
    > single-and-double-clicking on every conceivable and inconceivable part of
    > the screen, my carefully configured XFCE desktop looks like the Hilton
    > Suite after a party with Metallica and two dozens of groupies.
    >
    > cheers,
    >
    > Niki


    Niki,

    I appreciate your humor. What I do at work is somewhat the same. And
    I just realized that I do have users. I'm ashamed that I discounted
    them.

    I work in a special education classroom. The children in our classroom
    are aged 7-11 but are operating a level lower than that. They too
    click on everything. They use a Mac and a Linux box in our room. The
    Mac is gradually getting trashed. I'm expecting that some day I won't
    be able to put it back to right. The Linux box runs twm and has been
    configured to be mostly fiddle proof.

    Thanks for your (brief) story about Madame Bancel. I enjoyed it.

    How did you wind up doing what you do? I'm especially wondering where
    Windows went? How fabulous!

    -Joe

  5. Re: cdrecord as normal user

    Kees Theunissen wrote:
    > Joseph H. Rosevear wrote:
    >

    [snip]
    >
    > I see three *big* security issues with this.


    [snip]

    > Regards,
    >
    > Kees.
    >


    Kees,

    How about you? Do you have users? Sounds like you have some
    experience in keeping the users out of root.

    -Joe

  6. Re: cdrecord as normal user

    Joseph H. Rosevear wrote:
    > Kees Theunissen wrote:
    >> Joseph H. Rosevear wrote:

    >
    > [snip]
    >
    >> I see three *big* security issues with this.

    >
    > Thanks, Kees, I hadn't thought much about security. Let me reply to
    > you objections.
    >
    >> First you run the user owned script ~/prep with root privilege. A
    >> user can simply put any command (s)he likes to run as root in that
    >> script.

    >
    > Niki's users probably wouldn't need access to prep, so make it
    > root:root 700.


    That won't protect you.
    If a file is in a user's home directory then the user can delete or
    rename the file and create its own version with the original name.
    You don't need write access to a file to delete or rename it.
    Write access to the directory containing the file is sufficient
    regardless of the file's permission.

    >
    >> Second using this scripts you'll run the user's $HOME/.bashrc
    >> with root privilege. So a user can also put any command (s)he likes
    >> in .bashrc and run that command as root.

    >
    > Again, the users probably wouldn't need access. Make .bashrc
    > root:root 644.


    Again, the user can still delete and replace .bashrc.

    >
    >> Third you trust the command line supplied by the user. This is yet
    >> an other way for the user to specify any command to be run as root.
    >> A user could call the k_burnit script for instance as:
    >> sudo k_burnit 'blah;/bin/bash'
    >> to get a root shell as k_burnit will run in this case:
    >> ~/prep burnit blah;/bin/bash

    >
    > See my second version (already posted) called k_burnit2.
    >
    > It went like this:
    >
    > k_burnit2:
    >
    > #!/bin/sh
    > ~/prep burnit2 $*
    >
    > But burnit2 uses no arguments so I should have written it like this:
    >
    > k_burnit2:
    >
    > #!/bin/sh
    > ~/prep burnit2


    There are still other attack vectors in your scripts.
    I checked sudo on a Slack 11.0 system. Lots of environment variables
    are cleared by sudo, but the user's $PATH is kept. What does this
    mean? In your scripts you used several commands without specifying
    the full path. In ~/prep you used: chmod and bash (export and echo
    are internal bash functions), in burnit2: rm, mkisofs and cdrecord.
    So a user can put some user writable directory early in the search
    path and replace any of these commands with his/her own executable.

    There are probably more attack vectors.
    It's difficult to write really safe scripts and there is a reason
    that suid/sgid scripts are not supported in linux.

    As a general rule, if you need to let users run a program with
    root privileges, you should run as few code with elevated privilege
    as possible. Why run a rather complicated script with root rights,
    creating and running other scripts on the fly, if you could have
    used "sudo /usr/bin/cdrecord ....." in a script running with the
    user's own rights?

    Regards,

    Kees.

    --
    Kees Theunissen.

  7. Re: cdrecord as normal user

    Joseph Rosevear wrote:

    > Kees,
    >
    > How about you? Do you have users? Sounds like you have some
    > experience in keeping the users out of root.


    With a few others I'm running the computer and network
    infrastructure of a physics lab. About 100 users in a
    mixed windows/unix/linux environment.

    Regards,

    Kees.

    --
    Kees Theunissen.

  8. Re: cdrecord as normal user

    On Tue, 09 Oct 2007 14:32:29 +0000, Niki Kovacs wrote:

    > for the last year (since
    > August 2006), my job consisted of nuking existing Windows installs and
    > replace them by Linux.


    The perfect job!

  9. Re: cdrecord as normal user

    Niki Kovacs wrote:
    > Le Tue, 09 Oct 2007 06:02:20 +0000, Joseph Rosevear a écrit*:


    [snip]

    > So right now, I'm busy configuring a brand-new slim and newbie-friendly
    > XFCE-based desktop... and getting paid for this (not much, alas / ).
    > Here's what it looks like:


    > http://slackware.kikinovak.ath.cx/de...re-desktop.png


    > cheers,


    > Niki


    Niki,

    Thanks for the information. It was very interesting reading, and your
    desktop was interesting to see also. I'm interested to learn more and
    see more. Are there any pictures, webpages or articles about you, your
    work or the community you are serving?

    Also I'm wondering something. I've never setup a Linux desktop for
    someone and then set them free to use it. Is that working? Users have
    problems and needs, and Slackware is a bit rough around the edges
    (setting up printers, for example). Hopefully, you have some helpers.
    You are just one person, after all.

    How do you do it?

    -Joe

  10. Re: cdrecord as normal user

    On Tue, 09 Oct 2007 14:32:29 +0000, Niki Kovacs wrote:

    > So right now, I'm busy configuring a brand-new slim and newbie-friendly
    > XFCE-based desktop... and getting paid for this (not much, alas / ).
    > Here's what it looks like:
    >
    > http://slackware.kikinovak.ath.cx/de...re-desktop.png


    The "winamp" in the title bar made me jump... :-)

  11. Re: cdrecord as normal user

    Le Wed, 10 Oct 2007 07:32:06 +0000, Joseph H. Rosevear a écritÂ*:
    >
    > Thanks for the information. It was very interesting reading, and your
    > desktop was interesting to see also. I'm interested to learn more and
    > see more. Are there any pictures, webpages or articles about you, your
    > work or the community you are serving?


    I'm a regular contributor for "Linux Pratique", a specialized magazine
    published every two months (30.000 copies). In this month's paper, I've
    contributed three articles: 1) RPM (CentOS, Fedora, RHEL), 2) Yum (dito),
    3) how to setup X.org manually (e. g. with X -configure and a text
    editor).

    I have a site http://linux.kikinovak.net but it's a bit outdated. Mostly
    Debian and CentOS stuff.

    >
    > Also I'm wondering something. I've never setup a Linux desktop for
    > someone and then set them free to use it. Is that working?


    Of course it is. And you won't have the Windows Tamagotchi effect. I have
    some 10.0 installs that still run nice )

    > Users have
    > problems and needs, and Slackware is a bit rough around the edges
    > (setting up printers, for example).


    Yeah, that's where the learning comes in. I started installing Linux here
    and there around 2002. I did have some embarrassing experiences
    (winmodems, winprinters, exotic motherboards, unsupported software...),
    but that's how you learn. People tell you what they need, and then you
    try to figure it out for them. Do this a lot, and you'll end up knowing
    Slackware a bit more.


    > Hopefully, you have some helpers.
    > You are just one person, after all.


    I know one guy living 40 km from here who also runs Slackware. But my
    main help is the internet, and AOLS especially. Over the years, I got
    pretty much every question answered in this NG.

    I first learnt Linux with basiclinux.net, who now became linuxbasics.org.
    I can only recommend these folks to you. Learn the basics of Linux,
    independently of your distro, and everything on the commandline.

    cheers,

    Niki

  12. Re: cdrecord as normal user

    Le Wed, 10 Oct 2007 02:40:19 +0000, ~kurt a écritÂ*:

    > That is excellent. You get to do an interesting job, and promote the
    > use of a damn good OS.


    Yeah. Nice feeling running cfdisk on all those NTFS/FAT32 partitions )

    cheers,

    Niki

  13. Re: cdrecord as normal user

    Le Wed, 10 Oct 2007 09:40:21 +0200, Mark South a écritÂ*:
    >
    > The "winamp" in the title bar made me jump... :-)


    I just liked the theme, sorry |


  14. Re: cdrecord as normal user

    Niki Kovacs wrote:

    [snip]

    > I'm a regular contributor for "Linux Pratique", a specialized magazine
    > published every two months (30.000 copies). In this month's paper, I've
    > contributed three articles: 1) RPM (CentOS, Fedora, RHEL), 2) Yum (dito),
    > 3) how to setup X.org manually (e. g. with X -configure and a text
    > editor).


    Thanks.

    > I have a site http://linux.kikinovak.net but it's a bit outdated. Mostly
    > Debian and CentOS stuff.


    Again, thanks.

    [snip]

    > Yeah, that's where the learning comes in. I started installing Linux here
    > and there around 2002. I did have some embarrassing experiences
    > (winmodems, winprinters, exotic motherboards, unsupported software...),
    > but that's how you learn. People tell you what they need, and then you
    > try to figure it out for them. Do this a lot, and you'll end up knowing
    > Slackware a bit more.


    I was wondering how you did it. Perhaps you answered my question. You
    personally provide the needed expertise to solve problems as they
    occur.

    [snip]

    > I know one guy living 40 km from here who also runs Slackware. But my
    > main help is the internet, and AOLS especially. Over the years, I got
    > pretty much every question answered in this NG.


    Still, I marvel. Do you personally install every application and every
    printer in your community of communes?

    > I first learnt Linux with basiclinux.net, who now became linuxbasics.org.
    > I can only recommend these folks to you. Learn the basics of Linux,
    > independently of your distro, and everything on the commandline.


    I'm all for the command line. I think bash is great. Sadly, I've no
    experience with other distros. I see your point.

    > cheers,


    > Niki


    Thanks for the info.

    -Joe

  15. Re: cdrecord as normal user

    Kees Theunissen wrote:
    > Joseph H. Rosevear wrote:


    [snip]

    > > Niki's users probably wouldn't need access to prep, so make it
    > > root:root 700.


    > That won't protect you.
    > If a file is in a user's home directory then the user can delete or
    > rename the file and create its own version with the original name.
    > You don't need write access to a file to delete or rename it.
    > Write access to the directory containing the file is sufficient
    > regardless of the file's permission.


    I think I was surprised by this truth once or twice before. Thanks for
    the reminder.

    [snip]

    > There are still other attack vectors in your scripts.
    > I checked sudo on a Slack 11.0 system. Lots of environment variables
    > are cleared by sudo, but the user's $PATH is kept. What does this
    > mean? In your scripts you used several commands without specifying
    > the full path. In ~/prep you used: chmod and bash (export and echo
    > are internal bash functions), in burnit2: rm, mkisofs and cdrecord.
    > So a user can put some user writable directory early in the search
    > path and replace any of these commands with his/her own executable.


    Yes, I've grown lazy that way. Easier (and more fun) to let $PATH
    resolve the location, than to specify it myself.

    [snip]

    > As a general rule, if you need to let users run a program with
    > root privileges, you should run as few code with elevated privilege
    > as possible. Why run a rather complicated script with root rights,
    > creating and running other scripts on the fly, if you could have
    > used "sudo /usr/bin/cdrecord ....." in a script running with the
    > user's own rights?


    I see your point about security.

    > Regards,


    > Kees.


    Thanks for the tips.

    -Joe

  16. Re: cdrecord as normal user

    Kees Theunissen wrote:

    [snip]

    > With a few others I'm running the computer and network
    > infrastructure of a physics lab. About 100 users in a
    > mixed windows/unix/linux environment.


    Ahh. I wonder if yours resembles the environment where I worked about
    twenty years ago.

    I was an engineer for a large Aerospace Company, and I worked in the
    Structures Analysis department. I did not manage the computers or
    network, rather I was a user.

    I spent some time writing software for structural analysis. This lead
    me to address the question of organization and documentation of
    software. Which lead to a little fooling around with the PATH variable
    and some scripting.

    Is organization and documentation of software an issue where you work?
    Do your users write/document/share code?

    I just wondered.

    > Regards,


    > Kees.


    Keep up the good work.

    -Joe

  17. Re: cdrecord as normal user

    Joseph H. Rosevear wrote:
    >
    > Is organization and documentation of software an issue where you work?
    > Do your users write/document/share code?


    I get the feeling most code was written with the idea that it is self
    documenting.

    I haven't come across documentation for engineering analysis code that
    was of much good for anything, other than code that was written in the
    80's or (much) earlier - that might just be my line of work though (orbital
    analysis). Most of the newer code seems to be rewritten from the older
    (FORTRAN) code, by people who don't totally understand what they are doing,
    and any documentation that is written is more of pseudo code crap instead
    of a real explanation of the algorithm.

    - Kurt

  18. Re: cdrecord as normal user

    ~kurt wrote:
    > Joseph H. Rosevear wrote:
    > >
    > > Is organization and documentation of software an issue where you work?
    > > Do your users write/document/share code?


    > I get the feeling most code was written with the idea that it is self
    > documenting.


    > I haven't come across documentation for engineering analysis code that
    > was of much good for anything, other than code that was written in the
    > 80's or (much) earlier


    That's when our code was written.

    > - that might just be my line of work though (orbital analysis).


    OK, your background overlaps with mine a little.

    > Most of the newer code seems to be rewritten from the older (FORTRAN)
    > code, by people who don't totally understand what they are doing, and
    > any documentation that is written is more of pseudo code crap instead
    > of a real explanation of the algorithm.


    > - Kurt


    Kurt,

    Say you've got a collection of engineers who use a collection of
    software. How are they going to do it? Likely someone is in charge of
    each piece of software, but the average user may not know what software
    is available, who is in charge, where to find it, or how to make it go.
    Together, these things formed most important documentation for the
    software we used.

    Secondary (but also important), was the input file format. Our
    software usually ran at the command line, read input from a file, and
    wrote output to a file. A handy reference (on paper in a dusty
    notebook) sufficed to define the input format, but users needed to know
    where to find the document. For example, "Find the documentation in
    Fred's book case." This document could also give the theory the
    analysis was based on.

    We ran code like SQ5 (did stress, strain and failure analysis for
    composite laminated plates) and BOSOR (did similar analysis for
    Buckling of Shells of Revolution).

    I guess I miss those days, although they were a mixed bag--not always
    pleasant. I never did get my ideas for sharing code and documentation
    out of my system.

    -Joe

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2