From owner-freebsd-questions@FreeBSD.ORG Thu Nov 27 15:59:37 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 57FAD16A4CE for ; Thu, 27 Nov 2003 15:59:37 -0800 (PST) Received: from mxsf03.cluster1.charter.net (mxsf03.cluster1.charter.net [209.225.28.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3966C43F75 for ; Thu, 27 Nov 2003 15:59:36 -0800 (PST) (envelope-from chowse@charter.net) Received: from moe.howse.homeunix.net (jackson-66-168-145-25.midtn.chartertn.net [66.168.145.25]) hARNvFhx008601; Thu, 27 Nov 2003 18:57:16 -0500 (EST) (envelope-from chowse@charter.net) From: Charles Howse To: Lowell Gilbert , freebsd-questions@freebsd.org Date: Thu, 27 Nov 2003 17:57:15 -0600 User-Agent: KMail/1.5.4 References: <200311271102.20318.chowse@charter.net> <200311271731.16294.chowse@charter.net> <44znehqspw.fsf@be-well.ilk.org> In-Reply-To: <44znehqspw.fsf@be-well.ilk.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200311271757.15345.chowse@charter.net> Subject: Re: possible solution to cdbakeoven failing to detect ATAPI burners X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Nov 2003 23:59:37 -0000 On Thursday 27 November 2003 05:47 pm, Lowell Gilbert wrote: > Charles Howse writes: > > I agree with you 100%. Though I didn't say it explicitly, my comments > > were directed not to administrators where there is concern for local user > > security, but to plain ordinary desktop users who just want to burn some > > CD's. > > In my opinion, it is quite important to be explicit about security > tradeoffs when posting to a public mailing list that is frequently > searched by novice sysadmins. I will take that as good advice. :-) No disrespect, but seriously, can you give me a scenario where something bad could happen on *my* computer because I'm running cdrecord suid-root? I would also be very interested to hear a scenario where something bad could happen on an insecure system if they are running cdrecord suid-root. If I have more information on the implications of suid-root, I may be more careful in the future. Actually, I got my idea from man cdrecord, where it says: If you don't want to allow users to become root on your system, cdrecord may safely be installed suid root. This allows all users or a group of users with no root privileges to use cdrecord. Cdrecord in this case checks, if the real user would have been able to read the specified files. To give all user access to use cdrecord, enter: chown root /usr/local/bin/cdrecord chmod 4711 /usr/local/bin/cdrecord To give a restricted group of users access to cdrecord enter: chown root /usr/local/bin/cdrecord chgrp cdburners /usr/local/bin/cdrecord chmod 4710 /usr/local/bin/cdrecord and add a group cdburners on your system. -- Thanks, Charles http://howse.homeunix.net:8080 Random Murphy's Law: If it's good they will stop making it.