Re: cdrtools-2.01a37 ready
Volker Kuhlmann <hidden@paradise.net.nz> wrote:
> > Volker >
> > > I would have provided cdrecord packages, alas I never had problems with
> > the SuSE-supplied ones, therefore no point spending time on it.
> >
> > The binary (with DVD patch, disclaimer and all) which i
> > found after system installation did not work setuid root.
> > Since that method is advised by the man who must know,
> > i will not advise my users to do it different.
>
> That is a matter of opinion, of course. I dislike suid programs, and
> have only Jörg's word that it'll be ok. On the other hand I have a
> binary which is modified to not require suid, which seems the better
> concept to me in any case.
How do you believe that you may run cdrecord without root privs without
compromising the security of the whole system?
> If Jörg wants me to believe he's better than the SuSE security team
> (who have a bigger reputation to lose), he will have to supply better
If Suse has a security team, it is a joke....
Last year, I have been contacted by Suse (after I send out angry news postings
about broken and non-functional SuSE cdrecord binaries).
The person on question did point be to a possible printf format string problem
in libscg..... but:
He also informed me about SuSE's Resource manager patch and send me a pointer
to the related source code. After I send him a reply that did explained why
the SuSE resource manager is a security risk itsef I got no further reply :-(
Jörg
--
EMail:joerg@schily.isdn.cs.tu-berlin.de (home) Jörg Schilling D-13353 Berlin
js@cs.tu-berlin.de (uni) If you don't have iso-8859-1
schilling@fokus.fraunhofer.de (work) chars I am J"org Schilling
URL: http://www.fokus.fraunhofer.de/usr/schilling ftp://ftp.berlios.de/pub/schily
Reply to: