From owner-freebsd-questions@FreeBSD.ORG Thu Nov 27 15:32:32 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6AD9916A4CE for ; Thu, 27 Nov 2003 15:32:32 -0800 (PST) Received: from mxsf09.cluster1.charter.net (mxsf09.cluster1.charter.net [209.225.28.209]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2ED2843FAF for ; Thu, 27 Nov 2003 15:32:31 -0800 (PST) (envelope-from chowse@charter.net) Received: from moe.howse.homeunix.net (jackson-66-168-145-25.midtn.chartertn.net [66.168.145.25]) hARNVGP7078214; Thu, 27 Nov 2003 18:31:17 -0500 (EST) (envelope-from chowse@charter.net) From: Charles Howse To: Lowell Gilbert Date: Thu, 27 Nov 2003 17:31:16 -0600 User-Agent: KMail/1.5.4 References: <200311271102.20318.chowse@charter.net> <200311271125.31998.chowse@charter.net> <444qwp2yo5.fsf@be-well.ilk.org> In-Reply-To: <444qwp2yo5.fsf@be-well.ilk.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200311271731.16294.chowse@charter.net> cc: FBSD Questions Subject: Re: possible solution to cdbakeoven failing to detect ATAPI burners X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Nov 2003 23:32:32 -0000 On Thursday 27 November 2003 05:12 pm, Lowell Gilbert wrote: > Charles Howse writes: > > On Thursday 27 November 2003 11:16 am, Lowell Gilbert wrote: > > > Charles Howse writes: > > > > There has been signifigant discussion here in the past about > > > > cdbakeoven not detecting ATAPI burners when run as an ordinary user. > > > > > > > > I had this issue, and may have a solution. > > > > > > > > Be sure your kernel is compiled with device atapicam. > > > > > > > > As root do: > > > > # chmod u+s /usr/local/bin/cdrecord > > > > Which will allow cdrecord to run as suid root. > > > > > > In other words, it's still not being run as an ordinary user... > > > > cdbakeoven *is* being run as an ordinary user, which was the original > > issue, but to detect an atapi burner, it has to do 'cdrecord -scanbus', > > which will fail if not run as root. Make sense? > > I understood perfectly, but I don't think you've thought through all > the implications. The process executing cdrecord is *not* being run > as a normal user. The process is actually running as uid zero, which > is to say that it's running as *root*. This is considerably less > secure than running as the user's own uid. Thus, for systems where > you're worried about the security with regard to local users, you are > *vastly* worse off by making the executable suid-root. I agree with you 100%. Though I didn't say it explicitly, my comments were directed not to administrators where there is concern for local user security, but to plain ordinary desktop users who just want to burn some CD's. For example, I have a home lan, I am root on all 3 machines, no one else in the house uses these machines. I am behind a hardware firewall with no ports forwarded to this machine (the one with the burner). I feel completely secure running cdrecord suid root. -- Thanks, Charles http://howse.homeunix.net:8080 Random Murphy's Law: Don't make your doctor your heir.