This pertains to Debian Sarge 3.1. I would like to know if there is a way to disable a CD burners write access for particular users? I noticed in the /etc/group file that there is a cdrom group and certain users can be members of that group.

Let's say I have a user named "test."

I tried chmod 775 on /media/cdrom, which is a link to /dev/hda. I then edited the /etc/group file and did not make user "test" a member of that group. In my mind, because "test" is not a member of the cdrom group, and world permissions on /dev/hda do not include write, "test" should not have the ability to write to a cd. I tested this and it did not seem to work. Does anyone have any additional information, and does anyone know if the above scenario should work? Thanks.

- Dyno

Make it 660 and make sure the user is not in the group (use the groups command to check)
and also, if debian uses udev/devfs, then permissions changed with chmod won't stay in effect, you will need to edit a file containing the rules (check your local docs for that)

Oh and check the user/group data of /dev/hda , if its not root:cdrom, then you will need to fix it too

All cd burning programs are just front ends for cdrecord IIRC. You could create a cd burning group and set the owner/group ownership of cdrecord to root:cdburn_group and set the execute permissions to owner and group only. Then only members of the cd burning group would be able to use cdrecord.

Thanks for the response. I apologize for not being more clear in my initial post. I don't want to disable write access for all users, only for users not in the cdrom group. Just curious as to why I would want to disable execute on user, group, and world? I would still like world to have read and execute, but those users do not need write access. Permissions on the user and group should still be wide open. Am I looking at this illogically? Would removing execute permission disable the ability to write to a CD?

- Dyno

I guess I wasn't very clear. To sum it up, the only way to "write" to a cd-r in linux is to execute cdrecord. By restricting execute permissions on cdrecord to a set group, you can control who has access to cd burning. That's the most straightforward way of addressing the problem IMHO.

I'm not even sure what it means to set an execute permission on a cdrom device, if it means anything. Hardware isn't executed. I don't see any execute permissions on any of my drives. Access to the drive will be controlled by device file ownership, here, problably root:cdrom, and permissions which I agree should be 660. That will restrict read/write access to the drive to root and members of the cdrom group which I think is what you want. If your running udev these permission changes will not survive a reboot as noted by vinay. So then you need to hack an init script to reset them every time you reboot or directly change the udev config file.

I thought it would be easier to just change permissions/ownership on cdrecord. Restricting cdrecord to root and the cdrom group would be done with:

# chown root:cdrom /usr/bin/cdrecord
# chmod 770 /usr/bin/cdrecord

kilgoretrout - Thanks so much for the response. I will try this and give an update as to whether that works for me. Thanks again.

- Dyno