possible solution to cdbakeoven failing to detect ATAPI burners
Lowell Gilbert
freebsd-questions-local at be-well.ilk.org
Thu Nov 27 15:13:06 PST 2003
Charles Howse <chowse at charter.net> writes:
> On Thursday 27 November 2003 11:16 am, Lowell Gilbert wrote:
> > Charles Howse <chowse at charter.net> writes:
> > > There has been signifigant discussion here in the past about cdbakeoven
> > > not detecting ATAPI burners when run as an ordinary user.
> > >
> > > I had this issue, and may have a solution.
> > >
> > > Be sure your kernel is compiled with device atapicam.
> > >
> > > As root do:
> > > # chmod u+s /usr/local/bin/cdrecord
> > > Which will allow cdrecord to run as suid root.
> >
> > In other words, it's still not being run as an ordinary user...
>
> cdbakeoven *is* being run as an ordinary user, which was the original issue,
> but to detect an atapi burner, it has to do 'cdrecord -scanbus', which will
> fail if not run as root. Make sense?
I understood perfectly, but I don't think you've thought through all
the implications. The process executing cdrecord is *not* being run
as a normal user. The process is actually running as uid zero, which
is to say that it's running as *root*. This is considerably less
secure than running as the user's own uid. Thus, for systems where
you're worried about the security with regard to local users, you are
*vastly* worse off by making the executable suid-root.
There's a reason that the standard security scripts report to you
*every* *night* on any new suid executables on the system.
More information about the freebsd-questions
mailing list