[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Why burnfree is off by default?

Joerg Schilling <schilling@fokus.fraunhofer.de> writes:

> Nowadays, where there is Burnproof, people complain about coasters because
> they listen to incompetent people who tell others _not_ to run cdrecord 
> in a way on Linux that allows cdrecord to lock in core and to raise priority.
> As a result, people get coasters :-(

This needs to be differentiated a bit. Locking pages into memory and
requesting real-time scheduler properties are privileged operations, and
as such, it becomes a question of trust. Do I trust that the one-man
show Jörg Schilling gets every tiny bit right so that privileges (in
set-uid mode) are reliably dropped early enough, that there are no
backdoors someone could exploit to escalate his rights?

As systems administrator in an environment with large numbers of
untrusted users, I'd rather remove setuid bits and risk that users bitch
around about their coasters, rather than give them one more program that
might make them r00t one of my machines.

Personally, and some may see this as exaggerated, my trust is diminished
if a software for instance hardcodes ISO-8859-1 output (which looks
b0rked on UTF-8 consoles), is full of misspellings in messages and
documentation, has inconsistent option parsing, and does not have a
concise output. There are many really unimportant things wrong, and why
would the privileged section of the code have received more attention
than other parts?

The one tiny thing that allows the exploit is the critical one you'll
lose a machine to.

Matthias Andree

Reply to: