Adding ECLiPt Roaster to PAM

Finding the ECLiPt Roaster (eroaster) Package

Burning CD-R and CD-RW media can be done entirely with packages that are included with Red Hat Linux. However, some users may prefer the simple drag-and-drop interface offered by the ECLiPt Roaster front-end program, also known as eroaster. This program uses the same back-end tools such as cdrecord, cdda2wav and mkisofs as other solutions, but presents a GTK-styled front end on top of it.

This eroaster program is not shipped with Red Hat Linux. It can be found at any of the leading RPM package producer websites. Use a search engine to find a recent version in RPM format or visit the ECLiPt home page is at http://eclipt.uni-klu.ac.at/index.php for details.

Integrating ECLiPt Roaster with a PAM Launcher

Since the default Red Hat Linux configuration leaves the CD-R devices with protected permission flags, a user must decide one of the following courses of action.

• change device permissions for promiscuous access by any user
• use the eroaster or other burning tool as the root user

Several other tools included with Red Hat Linux opt for the latter approach for system security reasons. The pluggable authentication mechanism (or PAM) is a highly configurable facility to grant limited access to various system features. This flexibility is also daunting and complex.

This procedure adds eroaster to the PAM security system just like other security-conscious tools included with Red Hat Linux.

First, we install the eroaster package. Then we move its key executable to a safe location that is not on the average user's path. Then we make a symlink so the original command actually invokes a PAM feature called consolehelper.

$ su - # rpm -i eroaster-2.0.12-1.noarch.rpm # mv /usr/bin/eroaster /usr/sbin/eroaster # ln -s /usr/bin/consolehelper /usr/bin/eroaster

Lastly, we create the PAM configuration files from existing examples already on the Red Hat Linux system. The consolehelper will read these to determine whether or not the user must provide the root account password, and then will execute the real program if authorized. Create the following two files, listed here in their entirety.

/etc/pam.d/eroaster (full example file)

#%PAM-1.0 auth sufficient /lib/security/pam_rootok.so auth required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_permit.so session optional /lib/security/pam_xauth.so account required /lib/security/pam_permit.so

/etc/security/console.apps/eroaster (full example file)

USER=root PROGRAM=/usr/sbin/eroaster SESSION=true

Once configured, running /usr/bin/eroaster via the command line or via a GNOME panel launcher will first pop up a password query, and then execute the actual eroaster tool with root user privileges.

Contact Ed Halley by email at ed@halley.cc. Text, code, layout and artwork are Copyright © 1996-2005 Ed Halley. Copying in whole or in part, with author attribution, is expressly allowed. Any references to trademarks are illustrative and are controlled by their respective owners.