On Friday 27 January 2012 20:28:04 Chí-Thanh Christopher Nguyễn wrote: > Mike Frysinger schrieb: > > along these lines, why is cdrtools set*id ? if we have a "cdrom" group, > > and we assign our cdroms/dvdroms to that group, then we already have > > access control in place and can skip the set*id. > > From the manpage, "In order to be able to use the SCSI transport > subsystem of the OS, run at highest priority and lock itself into core > cdrecord either needs to be run as root, needs to be installed suid root > or must be called via RBACs pfexec mechanism." > > I guess with the advent of burnfree technology, the priority and locking > into memory have become less important.
yeah, i would think if your system is loaded enough for this to be an issue, it's going to be an issue anyways. but i'd image mlock/rtprio could be enabled via pam and security/limits.conf for the cdrom group. > The cdrom group will give access to /dev/sr* but not the associated > /dev/sg* yes, it does: $ find -L /dev/* -maxdepth 0 -gid 19 /dev/cdrom /dev/cdrw /dev/dvd /dev/dvdrw /dev/scd0 /dev/sg6 /dev/sr0 -mike
signature.asc
Description: This is a digitally signed message part.
