Date: 27 Nov 2003 18:12:58 -0500 From: Lowell Gilbert <freebsd-questions-local@be-well.ilk.org> To: Charles Howse <chowse@charter.net> Cc: FBSD Questions <freebsd-questions@freebsd.org> Subject: Re: possible solution to cdbakeoven failing to detect ATAPI burners Message-ID: <444qwp2yo5.fsf@be-well.ilk.org> In-Reply-To: <200311271125.31998.chowse@charter.net> References: <200311271102.20318.chowse@charter.net> <44wu9lu3zh.fsf@be-well.ilk.org> <200311271125.31998.chowse@charter.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Charles Howse <chowse@charter.net> writes: > On Thursday 27 November 2003 11:16 am, Lowell Gilbert wrote: > > Charles Howse <chowse@charter.net> writes: > > > There has been signifigant discussion here in the past about cdbakeoven > > > not detecting ATAPI burners when run as an ordinary user. > > > > > > I had this issue, and may have a solution. > > > > > > Be sure your kernel is compiled with device atapicam. > > > > > > As root do: > > > # chmod u+s /usr/local/bin/cdrecord > > > Which will allow cdrecord to run as suid root. > > > > In other words, it's still not being run as an ordinary user... > > cdbakeoven *is* being run as an ordinary user, which was the original issue, > but to detect an atapi burner, it has to do 'cdrecord -scanbus', which will > fail if not run as root. Make sense? I understood perfectly, but I don't think you've thought through all the implications. The process executing cdrecord is *not* being run as a normal user. The process is actually running as uid zero, which is to say that it's running as *root*. This is considerably less secure than running as the user's own uid. Thus, for systems where you're worried about the security with regard to local users, you are *vastly* worse off by making the executable suid-root. There's a reason that the standard security scripts report to you *every* *night* on any new suid executables on the system.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?444qwp2yo5.fsf>