possible solution to cdbakeoven failing to detect ATAPI burners

Lowell Gilbert freebsd-questions-local at be-well.ilk.org
Thu Nov 27 15:13:06 PST 2003

Charles Howse <chowse at charter.net> writes:

> On Thursday 27 November 2003 11:16 am, Lowell Gilbert wrote:
> > Charles Howse <chowse at charter.net> writes:
> > > There has been signifigant discussion here in the past about cdbakeoven
> > > not detecting ATAPI burners when run as an ordinary user.
> > >
> > > I had this issue, and may have a solution.
> > >
> > > Be sure your kernel is compiled with device atapicam.
> > >
> > > As root do:
> > > # chmod u+s /usr/local/bin/cdrecord
> > > Which will allow cdrecord to run as suid root.
> >
> > In other words, it's still not being run as an ordinary user...
> cdbakeoven *is* being run as an ordinary user, which was the original issue, 
> but to detect an atapi burner, it has to do 'cdrecord -scanbus', which will 
> fail if not run as root.  Make sense?

I understood perfectly, but I don't think you've thought through all
the implications.  The process executing cdrecord is *not* being run
as a normal user.  The process is actually running as uid zero, which
is to say that it's running as *root*.  This is considerably less
secure than running as the user's own uid.  Thus, for systems where
you're worried about the security with regard to local users, you are
*vastly* worse off by making the executable suid-root.

There's a reason that the standard security scripts report to you
*every* *night* on any new suid executables on the system.  

More information about the freebsd-questions mailing list