cdrtools/cdrecord/README.rscsi

The Remote-SCSI protocol gives you SCSI-Anywhere features.

There are three possible ways to control access to the remote users:

	-	Let the remote scsi lib log in as a standard user.
		In this case rscsi will be called via sh -c /opt/schily/sbin/rscsi
		NOTE: In this case, rscsi must be installed suid root. 
		--- This would need to allow any valid local user to access SCSI ----
		It could be a security problem.

	-	Log in as root and call rscsi via sh -c /opt/schily/sbin/rscsi
		NOTE that this will fore you to allow remote logins as root
		which is considered to be a security hole.

	-	Create one or more special user(s) that have /opt/schily/sbin/rscsi
		as login shell with their own home directory.
		You then may create special .rhosts files for each user.
		NOTE: In this case, rscsi must be installed suid root. 
		**** This is the preferred method ****

To enable remote SCSI via the login shell method you should do the following:

	-	Add an entry to /etc/passwd in the form:

		rscsi:x:1999:1000:Tape:/export/home/rscsi:/opt/schily/sbin/rscsi

		(modify this according to your OS). And don't forget to
		modify /etc/shadow the way it needs to be on your OS.

	-	Create a  home directory for this user and add a .rhosts file
		to allow access to all users you like.

	-	Install rscsi suid root into /opt/schily/sbin

	-	Install a file /etc/default/rscsi and define access rights.
		Without this file, rscsi will not work at all.

		The template for this file is: rscsi/rscsi.dfl

RSCSI Security:

-	When rscsi starts, it checks if /etc/default/rscsi exists.
	If not, it dies.

-	If rscsi is not called by a user listed in /etc/default/rscsi
	it dies.

-	To access a SCSI target there must be an entry that lists the user
	rcsi hast been started from, the hostname and the SCSI target.

	rscsi compares the hostname field in /etc/default/rscsi 
	to the peername retrived from STDIN:

	- legal host name		IP connection
	- "ILLEGAL_SOCKET"		Not an IP socket
	- "NOT_IP"			Not a socket

RSCSI Security hints:

-	Do not generally allow other users to see your boot disk via RSCSI.
	All people who see this disk may edit your passwd file.

-	If you are in doubt, only export CD-ROM drives, scanners and similar
	devices that are not directly security sensitive.

If anybody sees a security hole in my security precautions, please send me a mail!

RSCSI usage:

-	To use remote SCSI devices you need to know how to access a specific remote
	SCSI target.

	-	dev=REMOTE:host: or dev=REMOTE:host
		will allow you to do SCSI bus scanning while you log in as yourself

	-	dev=REMOTE:user@host: or dev=REMOTE:user@host
		will allow you to do SCSI bus scanning while you log in as "user"

		If you use the setup described above, you should use:

			dev=REMOTE:rscsi@babbel:

		to do SCSI Bus scanning on host babbel

	-	To access a specific SCSI device, you must specify
		dev=REMOTE:host:<target spec> or dev=REMOTE:user@host:<target spec>
		<target spec> is the SCSI target specification as it is needed
		on the remote host

			dev=REMOTE:rscsi@babbel:1,3,0

		Will let you log in as rscsi on host babbel and open Target 3 lun 0
		on SCSI bus #1

	-	If you use cdrecord -vv ...., cdrecord will on startup print some 
		information about the remote libscg version used for the connection.

-	To be able to use the remote SCSI client code from win32 you need to create
	a file /etc/passwd with a correct entry for the user you are on win32.
	Call 'id' to get the right user id.
	Note that remote SCSI has not yet been tested on Win32.

RSCSI speed:

-	On a Ultra-10 running Solaris 8, the command overhead time is 400 usec.
	You may achieve up to 9900 kB/s via a 100MB/s ethernet connection
	between two of such machines.

-	With 100 MB/s, 12x recording should be no problem.

-	With 10 MB/s, 4x recording is the maximum. Do tests before!

-	Logging into a remote machine and running cdrecord on the remote machine
	causes the buffer cache on that machine to be trashed. The main user
	is disturbed.

-	Doing cdrecording via Remote SCSI causes only the rscsi command with less
	than 200kB to be needed on the remote machine hosting the CD recorder.
	The main user on that machine is not disturbed.
	The buffer cache of the machine running cdrecord is trashed.

-	It is desirable to use a Burn-Proof recorder to make sure that network
	load will not cause buffer underruns.


-	USER= test and test for hostname are using a pattern matcher.
Initial commit 2025-06-15 04:19:58 +08:00			`The Remote-SCSI protocol gives you SCSI-Anywhere features.`

			`There are three possible ways to control access to the remote users:`

			`- Let the remote scsi lib log in as a standard user.`
			`In this case rscsi will be called via sh -c /opt/schily/sbin/rscsi`
			`NOTE: In this case, rscsi must be installed suid root.`
			`--- This would need to allow any valid local user to access SCSI ----`
			`It could be a security problem.`

			`- Log in as root and call rscsi via sh -c /opt/schily/sbin/rscsi`
			`NOTE that this will fore you to allow remote logins as root`
			`which is considered to be a security hole.`

			`- Create one or more special user(s) that have /opt/schily/sbin/rscsi`
			`as login shell with their own home directory.`
			`You then may create special .rhosts files for each user.`
			`NOTE: In this case, rscsi must be installed suid root.`
			`** This is the preferred method **`

			`To enable remote SCSI via the login shell method you should do the following:`

			`- Add an entry to /etc/passwd in the form:`

			`rscsi:x:1999:1000:Tape:/export/home/rscsi:/opt/schily/sbin/rscsi`

			`(modify this according to your OS). And don't forget to`
			`modify /etc/shadow the way it needs to be on your OS.`

			`- Create a home directory for this user and add a .rhosts file`
			`to allow access to all users you like.`

			`- Install rscsi suid root into /opt/schily/sbin`

			`- Install a file /etc/default/rscsi and define access rights.`
			`Without this file, rscsi will not work at all.`

			`The template for this file is: rscsi/rscsi.dfl`

			`RSCSI Security:`

			`- When rscsi starts, it checks if /etc/default/rscsi exists.`
			`If not, it dies.`

			`- If rscsi is not called by a user listed in /etc/default/rscsi`
			`it dies.`

			`- To access a SCSI target there must be an entry that lists the user`
			`rcsi hast been started from, the hostname and the SCSI target.`

			`rscsi compares the hostname field in /etc/default/rscsi`
			`to the peername retrived from STDIN:`

			`- legal host name IP connection`
			`- "ILLEGAL_SOCKET" Not an IP socket`
			`- "NOT_IP" Not a socket`

			`RSCSI Security hints:`

			`- Do not generally allow other users to see your boot disk via RSCSI.`
			`All people who see this disk may edit your passwd file.`

			`- If you are in doubt, only export CD-ROM drives, scanners and similar`
			`devices that are not directly security sensitive.`

			`If anybody sees a security hole in my security precautions, please send me a mail!`

			`RSCSI usage:`

			`- To use remote SCSI devices you need to know how to access a specific remote`
			`SCSI target.`

			`- dev=REMOTE:host: or dev=REMOTE:host`
			`will allow you to do SCSI bus scanning while you log in as yourself`

			`- dev=REMOTE:user@host: or dev=REMOTE:user@host`
			`will allow you to do SCSI bus scanning while you log in as "user"`

			`If you use the setup described above, you should use:`

			`dev=REMOTE:rscsi@babbel:`

			`to do SCSI Bus scanning on host babbel`

			`- To access a specific SCSI device, you must specify`
			`dev=REMOTE:host:<target spec> or dev=REMOTE:user@host:<target spec>`
			`<target spec> is the SCSI target specification as it is needed`
			`on the remote host`

			`dev=REMOTE:rscsi@babbel:1,3,0`

			`Will let you log in as rscsi on host babbel and open Target 3 lun 0`
			`on SCSI bus #1`

			`- If you use cdrecord -vv ...., cdrecord will on startup print some`
			`information about the remote libscg version used for the connection.`

			`- To be able to use the remote SCSI client code from win32 you need to create`
			`a file /etc/passwd with a correct entry for the user you are on win32.`
			`Call 'id' to get the right user id.`
			`Note that remote SCSI has not yet been tested on Win32.`

			`RSCSI speed:`

			`- On a Ultra-10 running Solaris 8, the command overhead time is 400 usec.`
			`You may achieve up to 9900 kB/s via a 100MB/s ethernet connection`
			`between two of such machines.`

			`- With 100 MB/s, 12x recording should be no problem.`

			`- With 10 MB/s, 4x recording is the maximum. Do tests before!`

			`- Logging into a remote machine and running cdrecord on the remote machine`
			`causes the buffer cache on that machine to be trashed. The main user`
			`is disturbed.`

			`- Doing cdrecording via Remote SCSI causes only the rscsi command with less`
			`than 200kB to be needed on the remote machine hosting the CD recorder.`
			`The main user on that machine is not disturbed.`
			`The buffer cache of the machine running cdrecord is trashed.`

			`- It is desirable to use a Burn-Proof recorder to make sure that network`
			`load will not cause buffer underruns.`


			`- USER= test and test for hostname are using a pattern matcher.`