Re: Access rights with growisofs

To: CDWrite List <cdwrite@other.debian.org>
Subject: Re: Access rights with growisofs
From: Nick Urbanik <nicku@vtc.edu.hk>
Date: Tue, 13 Jul 2004 05:44:21 +0800
Message-id: <[🔎] 20040712214421.GA8864@vtc.edu.hk>
Mail-followup-to: CDWrite List <cdwrite@other.debian.org>
In-reply-to: <[🔎] 40F29EDA.5090306@3times25.net>
References: <[🔎] 20040712082708.GA29243@vtc.edu.hk> <[🔎] 40F29EDA.5090306@3times25.net>

Dear Folks,

On Mon, Jul 12, 2004 at 10:23:22AM -0400, Geoffrey wrote:
> Nick Urbanik wrote:
> >Dear Folks,
> >
> >my Perl program at
> >http://ictlab.tyict.vtc.edu.hk/ftp/tarball/make-path-lists.pl seems
> >ready to use; I am now backing everything up using it.  I still
> >haven't finished; I'll let the list know when I have finished my
> >complete backup and have tested it successfully.
> >
> >I have one problem remaining that I hope someone could point me to the
> >answer for:
> >
> >When backing up many files, some of which I do not have read
> >permission to access as my ordinary account, is the only way to access
> >them to do something like su to root, then run growisofs?
> >
> >It's just that I don't like using su, but if that's the only way, then
> >I'll do it.
> 
> check out sudo.  You can set it up so that a specific id can run a 
> specific command as root.  man sudo.

I agree that sudo is useful; I wrote this intro to sudo for my
students: http://ictlab.tyict.vtc.edu.hk/ossi/lab/sudo/sudo.pdf which
includes a picture of a chainsaw, under which I wrote, "Doing
everything as root is like cutting bread with a chainsaw."

However, Andy wrote in his man page for growisofs in
dvd+rw-tools-5.19.4.9.7 that 
"If executed under sudo(8) growisofs refuses to start."
...
#!/bin/ksh
unset SUDO_COMMAND
export MKISOFS=/path/to/trusted/mkisofs
exec growisofs "$@"

And there is the answer to my question.  Andy is rightly concerned
that running growisofs under sudo allows any user with sudo privilege
read access to any file in the file system, as well as the right to
execute program of their choice with elevated privileges.

When the reason for running growisofs with elevated privileges *is* to
get read access to any file in the file system, then running it under
sudo is fine, as long as the fact that it may run any program instead
of mkisofs is taken into account.

I had been reading an earlier man page for dvd+rw-tools-5.17.4.8.6
which did not mention this, while running the later version (:-#
(embarrassed).
-- 
Nick Urbanik   RHCE                               nicku(at)vtc.edu.hk
Proud member of the Dept. of Information & Communications Technology,
Home of Visual Paradigm: Jolt Productivity Award winner, programmed
by our own graduates!      Tel: (852) 2436 8576  Fax: (852) 2436 8526
GPG: 7FFA CDC7 5A77 0558 DC7A 790A 16DF EC5B BB9D 2C24   ID: BB9D2C24

Attachment: pgpQDDMJF0PEx.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Access rights with growisofs
  - From: Jacob Meuser <jakemsr@jakemsr.com>

References:
- Access rights with growisofs
  - From: Nick Urbanik <nicku@vtc.edu.hk>
- Re: Access rights with growisofs
  - From: Geoffrey <esoteric@3times25.net>

Prev by Date: Nguxraii e-m`eds
Next by Date: Re: Access rights with growisofs
Previous by thread: Re: Access rights with growisofs
Next by thread: Re: Access rights with growisofs
Index(es):
- Date
- Thread