Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 27 Nov 2003 17:57:15 -0600
From:      Charles Howse <chowse@charter.net>
To:        Lowell Gilbert <freebsd-questions-local@be-well.no-ip.com>, freebsd-questions@freebsd.org
Subject:   Re: possible solution to cdbakeoven failing to detect ATAPI burners
Message-ID:  <200311271757.15345.chowse@charter.net>
In-Reply-To: <44znehqspw.fsf@be-well.ilk.org>
References:  <200311271102.20318.chowse@charter.net> <200311271731.16294.chowse@charter.net> <44znehqspw.fsf@be-well.ilk.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thursday 27 November 2003 05:47 pm, Lowell Gilbert wrote:
> Charles Howse <chowse@charter.net> writes:
> > I agree with you 100%.  Though I didn't say it explicitly, my comments
> > were directed not to administrators where there is concern for local user
> > security, but to plain ordinary desktop users who just want to burn some
> > CD's.
>
> In my opinion, it is quite important to be explicit about security
> tradeoffs when posting to a public mailing list that is frequently
> searched by novice sysadmins.

I will take that as good advice.  :-)

No disrespect, but seriously, can you give me a scenario where something bad 
could happen on *my* computer because I'm running cdrecord suid-root?

I would also be very interested to hear a scenario where something bad could 
happen on an insecure system if they are running cdrecord suid-root.

If I have more information on the implications of suid-root, I may be more 
careful in the future.

Actually, I got my idea from man cdrecord, where it says:

  If you don't want to  allow  users  to  become  root  on  your  system,
       cdrecord  may safely be installed suid root. This allows all users or a
       group of users with no root privileges to use  cdrecord.   Cdrecord  in
       this  case  checks,  if  the real user would have been able to read the
       specified files.  To give all user access to use cdrecord, enter:

            chown root /usr/local/bin/cdrecord
            chmod 4711 /usr/local/bin/cdrecord

       To give a restricted group of users access to cdrecord enter:

            chown root /usr/local/bin/cdrecord
            chgrp cdburners /usr/local/bin/cdrecord
            chmod 4710 /usr/local/bin/cdrecord

       and add a group cdburners on your system.

-- 
Thanks,
Charles
http://howse.homeunix.net:8080

Random Murphy's Law:
If it's good they will stop making it.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200311271757.15345.chowse>