Re: [gentoo-dev] useless set*id binaries

Fri, 27 Jan 2012 17:52:24 -0800 

On 01/28/2012 03:49 AM, Mike Frysinger wrote:

On Friday 27 January 2012 20:07:45 Samuli Suominen wrote:

On 01/28/2012 02:41 AM, Mike Frysinger wrote:

On Friday 27 January 2012 19:18:07 Samuli Suominen wrote:

On 01/28/2012 02:14 AM, Mike Frysinger wrote:

along these lines, why is cdrtools set*id ?  if we have a "cdrom"
group, and we assign our cdroms/dvdroms to that group, then we already
have access control in place and can skip the set*id.


cdrtools can't probe the drives without the binary being setuid, or the
user belonging to the 'disk' group (and even that is not enough in some
cases if the permissions vary)


the drives are owned by the "cdrom" group and have group +rw.  so if the
user is in the "cdrom" group, why can't they probe the drives ?

"disk" owns the non-removable hard drives.

$ ls -l /dev/sr0 /dev/sg0 /dev/sg6
crw-rw---- 1 root disk  21, 0 Jan  6 23:07 /dev/sg0
crw-rw---- 1 root cdrom 21, 6 Jan  6 23:07 /dev/sg6
brw-rw---- 1 root cdrom 11, 0 Jan 17 22:28 /dev/sr0
-mike


i dont know why, but it does probe also non-removable disks... it probes
per bus, iirc

you can try it easily yourself:


this is a failure in cdrecord (not that surprising).  it aborts after the first
EACCES it gets on /dev/sg# instead of continuing on.  granting set*id to a
binary because they can't be bothered to try the next device is dumb.

$ sudo mv /dev/sg[0-5] ~/
$ sudo chmod 755 /usr/bin/cdrecord
$ cdrecord -scanbus

Cdrecord-ProDVD-ProBD-Clone 3.01a06 (x86_64-unknown-linux-gnu) Copyright (C)
1995-2011 Joerg Schilling
TOC Type: 1 = CD-ROM
Linux sg driver version: 3.5.34
Using libscg version 'schily-0.9'.
Using libscg transport code version 'schily-scsi-linux-sg.c-1.95'
Driveropts: 'burnfree'
SCSI buffer size: 32768
scsibus7:
         7,0,0   700) 'TSSTcorp' 'CDDVDW SH-S222L ' 'SB03' Removable CD-ROM
         7,1,0   701) *
         7,2,0   702) *
         7,3,0   703) *
         7,4,0   704) *
         7,5,0   705) *
         7,6,0   706) *
         7,7,0   707) *
-mike



and people have multiple times tried to convince the cdrtools author to 
change this, but without success.

the author can be, well, ...

i've improved the situation _a bit_:

+*cdrtools-3.01_alpha06-r1 (28 Jan 2012)
+
+  28 Jan 2012; Samuli Suominen <ssuomi...@gentoo.org>
+  +cdrtools-3.01_alpha06-r1.ebuild:

+  Change cdda2wav, cdrecord, readcd and rscsi from suid root to sgid 
disk for

+  udev users (note: tested with cdrecord -scanbus)
























					Reply via email to