Skip site navigation (1)Skip section navigation (2) 
Date:      27 Nov 2003 18:12:58 -0500
From:      Lowell Gilbert <freebsd-questions-local@be-well.ilk.org>
To:        Charles Howse <chowse@charter.net>
Cc:        FBSD Questions <freebsd-questions@freebsd.org>
Subject:   Re: possible solution to cdbakeoven failing to detect ATAPI burners
Message-ID:  <444qwp2yo5.fsf@be-well.ilk.org>
In-Reply-To: <200311271125.31998.chowse@charter.net>
References:  <200311271102.20318.chowse@charter.net> <44wu9lu3zh.fsf@be-well.ilk.org> <200311271125.31998.chowse@charter.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
Charles Howse <chowse@charter.net> writes:

> On Thursday 27 November 2003 11:16 am, Lowell Gilbert wrote:
> > Charles Howse <chowse@charter.net> writes:
> > > There has been signifigant discussion here in the past about cdbakeoven
> > > not detecting ATAPI burners when run as an ordinary user.
> > >
> > > I had this issue, and may have a solution.
> > >
> > > Be sure your kernel is compiled with device atapicam.
> > >
> > > As root do:
> > > # chmod u+s /usr/local/bin/cdrecord
> > > Which will allow cdrecord to run as suid root.
> >
> > In other words, it's still not being run as an ordinary user...
> 
> cdbakeoven *is* being run as an ordinary user, which was the original issue, 
> but to detect an atapi burner, it has to do 'cdrecord -scanbus', which will 
> fail if not run as root.  Make sense?

I understood perfectly, but I don't think you've thought through all
the implications.  The process executing cdrecord is *not* being run
as a normal user.  The process is actually running as uid zero, which
is to say that it's running as *root*.  This is considerably less
secure than running as the user's own uid.  Thus, for systems where
you're worried about the security with regard to local users, you are
*vastly* worse off by making the executable suid-root.

There's a reason that the standard security scripts report to you
*every* *night* on any new suid executables on the system.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?444qwp2yo5.fsf>