Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 27 Nov 2003 17:31:16 -0600
From:      Charles Howse <chowse@charter.net>
To:        Lowell Gilbert <freebsd-questions-local@be-well.no-ip.com>
Cc:        FBSD Questions <freebsd-questions@freebsd.org>
Subject:   Re: possible solution to cdbakeoven failing to detect ATAPI burners
Message-ID:  <200311271731.16294.chowse@charter.net>
In-Reply-To: <444qwp2yo5.fsf@be-well.ilk.org>
References:  <200311271102.20318.chowse@charter.net> <200311271125.31998.chowse@charter.net> <444qwp2yo5.fsf@be-well.ilk.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thursday 27 November 2003 05:12 pm, Lowell Gilbert wrote:
> Charles Howse <chowse@charter.net> writes:
> > On Thursday 27 November 2003 11:16 am, Lowell Gilbert wrote:
> > > Charles Howse <chowse@charter.net> writes:
> > > > There has been signifigant discussion here in the past about
> > > > cdbakeoven not detecting ATAPI burners when run as an ordinary user.
> > > >
> > > > I had this issue, and may have a solution.
> > > >
> > > > Be sure your kernel is compiled with device atapicam.
> > > >
> > > > As root do:
> > > > # chmod u+s /usr/local/bin/cdrecord
> > > > Which will allow cdrecord to run as suid root.
> > >
> > > In other words, it's still not being run as an ordinary user...
> >
> > cdbakeoven *is* being run as an ordinary user, which was the original
> > issue, but to detect an atapi burner, it has to do 'cdrecord -scanbus',
> > which will fail if not run as root.  Make sense?
>
> I understood perfectly, but I don't think you've thought through all
> the implications.  The process executing cdrecord is *not* being run
> as a normal user.  The process is actually running as uid zero, which
> is to say that it's running as *root*.  This is considerably less
> secure than running as the user's own uid.  Thus, for systems where
> you're worried about the security with regard to local users, you are
> *vastly* worse off by making the executable suid-root.

I agree with you 100%.  Though I didn't say it explicitly, my comments were 
directed not to administrators where there is concern for local user 
security, but to plain ordinary desktop users who just want to burn some 
CD's.

For example, I have a home lan, I am root on all 3 machines, no one else in 
the house uses these machines.  I am behind a hardware firewall with no ports 
forwarded to this machine (the one with the burner).

I feel completely secure running cdrecord suid root.

-- 
Thanks,
Charles
http://howse.homeunix.net:8080

Random Murphy's Law:
Don't make your doctor your heir.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200311271731.16294.chowse>