José Alburquerque wrote:
s. keeling wrote:
Very odd, on both of you.
(0) heretic /home/keeling_ all `which cdrecord`
-rwxr-xr-x 1 root root 133 2005-01-09 09:55 /usr/bin/cdrecord*
No SUID needed.
(0) heretic /home/keeling_ id
uid=1000(keeling) gid=1000(keeling)
groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),50(staff),1000(keeling)
I'm running Sarge/stable, Kernel 2.6.8-3-686. I've no problem burning
CDs as user keeling:
(0) heretic /home/keeling_ cdrecord dev=/dev/hdd -eject -tao \
-data xubuntu-6.06-desktop-i386.iso
Works fine (cdrecord, I mean; not xubuntu :-P ).
I'm not sure, but I believe it has to do with the kernel versions as
Mumia posted. You're running 2.6.8-3, but I'm running 2.6.16-2 on an
etch (testing) system. Oh well, I guess I'll probably end up using
sudo (it does seem like a good solution!).
BTW, this link
(http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2004-09/0188.html)
explains somewhat why cdrecord insists on SUID to function, but another
solution (found in the gcombust faq) would be the "safer" suid solution
below (though I'm still leaning towards sudo):
There are two reasons for running cdrecord with root priviligies; 1)
real time priority and 2) locking the buffers (so they can't get swapped
out). cdrecord can be run without root privligies, but it increases the
chance of a buffer underrun. cdrecord also needs read/write access to
the cdr-device (for making multisession cd:s mkisofs also needs read
access to the device). Please understand that making cdrecord suid root
is a security risk.
First, the non-root sollution (this should be quite safe, but I'm no
scsi guru, you are granting write access to a scsi device..):
1) create a group for user who should be allowed to burn ("addgroup cdburn")
2) add user to this group ("adduser joedoe cdburn")
3) change the group owner of the device to cdburn, and give it group
read/wright rights ("chgrp cdburn /dev/scd0; chmod g+rw")
The setuid-root sollution (give only the group executable rights, make
it suid root), please note that this is a security risk - you have been
warned):
1) create a group and add users as above
2) remove world executable from cdrecord ("chmod o-x /usr/bin/cdrecord")
3) make cdrecord setuid root ("chown root /usr/bin/cdrecord; chmod u+s
/usr/bin/cdrecord")
4) make the group of cdrecord the newly created group ("chgrp cdburn
/usr/bin/cdrecord")
Now, only users in the cdburn group can execute cdrecord, and it will be
executed with root priviligies.
For mkisofs, it should be enough to give the users read right to the cdr
device (needed for multisession).
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
