From owner-freebsd-questions@FreeBSD.ORG Thu Nov 27 15:13:06 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3FB3416A4CE for ; Thu, 27 Nov 2003 15:13:06 -0800 (PST) Received: from rwcrmhc11.comcast.net (rwcrmhc11.comcast.net [204.127.198.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0083943FDF for ; Thu, 27 Nov 2003 15:12:59 -0800 (PST) (envelope-from freebsd-questions-local@be-well.ilk.org) Received: from be-well.no-ip.com ([66.30.200.37]) by comcast.net (rwcrmhc11) with ESMTP id <2003112723125901300dvhmue>; Thu, 27 Nov 2003 23:12:59 +0000 Received: by be-well.no-ip.com (Postfix, from userid 1147) id 232B56C; Thu, 27 Nov 2003 18:12:59 -0500 (EST) Sender: lowell@be-well.ilk.org To: Charles Howse References: <200311271102.20318.chowse@charter.net> <44wu9lu3zh.fsf@be-well.ilk.org> <200311271125.31998.chowse@charter.net> From: Lowell Gilbert Date: 27 Nov 2003 18:12:58 -0500 In-Reply-To: <200311271125.31998.chowse@charter.net> Message-ID: <444qwp2yo5.fsf@be-well.ilk.org> Lines: 31 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: FBSD Questions Subject: Re: possible solution to cdbakeoven failing to detect ATAPI burners X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Nov 2003 23:13:06 -0000 Charles Howse writes: > On Thursday 27 November 2003 11:16 am, Lowell Gilbert wrote: > > Charles Howse writes: > > > There has been signifigant discussion here in the past about cdbakeoven > > > not detecting ATAPI burners when run as an ordinary user. > > > > > > I had this issue, and may have a solution. > > > > > > Be sure your kernel is compiled with device atapicam. > > > > > > As root do: > > > # chmod u+s /usr/local/bin/cdrecord > > > Which will allow cdrecord to run as suid root. > > > > In other words, it's still not being run as an ordinary user... > > cdbakeoven *is* being run as an ordinary user, which was the original issue, > but to detect an atapi burner, it has to do 'cdrecord -scanbus', which will > fail if not run as root. Make sense? I understood perfectly, but I don't think you've thought through all the implications. The process executing cdrecord is *not* being run as a normal user. The process is actually running as uid zero, which is to say that it's running as *root*. This is considerably less secure than running as the user's own uid. Thus, for systems where you're worried about the security with regard to local users, you are *vastly* worse off by making the executable suid-root. There's a reason that the standard security scripts report to you *every* *night* on any new suid executables on the system.