Bug 61447 - gtoaster not using console permissions
gtoaster not using console permissions
Status: CLOSED WONTFIX
Product: Red Hat Linux
Classification: Retired
Component: gtoaster (Show other bugs)
7.3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Ngo Than
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-03-19 16:04 EST by Daryll
Modified: 2007-04-18 12:41 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-06-29 13:02:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Daryll 2002-03-19 16:04:31 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.2.1) Gecko/20010901

Description of problem:
The permission policy on gtoaster seems a bit strange. Right now the
console.perms file includes the cdwriter, which means it would be possible for a
normal user to run gtoaster if it weren't setup with consolehelper.
Unfortunetly, if they do that they're prompted for the root password. If they
provide the root password the gtoaster is run as root and they can access
privledged files on the system.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.Login as a normal user
2.run gtoaster


Actual Results:  Notice that it pops up a dialog box asking for the root password.

Expected Results:  Gtoaster should just run

Additional info:

I think there are two distinct uses. One is normal use where the user is just
writing some of their files and the other is doing a backup where the user needs
to access all the files on the system.

Currently, gtoaster is setup for the backup case, where the user has to provide
the root password then they can access any file on the system. I'd like to see a
way where users could write cds as themselves.
Comment 1 Daryll 2002-03-22 13:29:39 EST
This is actually with beta2 and beta3 as well as 7.2
Comment 2 Ngo Than 2002-03-26 08:22:27 EST
You should install package kapabilities. This package allows you to configure 
any users to do that without root password
Comment 3 Daryll 2002-03-26 10:39:50 EST
No, kapabilities is not the right answer. I don't want the user to run gtoaster
as root, I want them to run it as themselves. If I wanted them to have access to
it I could have modified the pam configuration to use pam_console. I don't want
them to have root access to all the files on the system, I just want them to be
able to burn a CD of files they normally have access to. 

You've got two security systems working and they are conflicting. The first
security system is /etc/security/console.perms. It is setting the permissions on
/dev/scd0 so the user has access to it. If this was all you were doing
everything would be great for what I want, because the user could run gtoaster
and it would work.

The second security system is the consolehelper wrapper. It requires a root
password and gives you root access to the system. This is good if the user wants
to do a root backup of the system to a CD and needs to write system files.
Unfortunetly, once you've done this you break the first capability of users
being able to burn CDs as themselves.

Both capabilities are useful, but you've broken the first in the way you've
setup the second. 
Comment 4 Ngo Than 2005-06-29 13:02:56 EDT
gtoaster is not included in Fedora anymore, please report the bug to author. Thanks

Note You need to log in before you can comment on or make changes to this bug.