[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#71237: cdparanoia: cannot use cdparanoia 'out of the box' as a non-root user.

> Basically, cdparanoia requires use of 'scsi-generic' (/dev/sg*) when
> reading from SCSI cdrom drives. /dev/sg device nodes are created with
> root.root ownership and mode 0600.

Which is correct - you definitely want tight access on your devices.
> As relaxing permissions in general on /dev/sg* would create more of a
> potential security risk for SCSI-based systems, and there is no
> constant mapping between [/dev/scd*] and [/dev/sg*], cdparanoia should
> be made suid root and should drop root privelages after determining
> which /dev/sg* device to use and opening said device. Such checking
> should also be made after a permission check of the /dev/scd* device.
I'm not sure I agree with your solution.  cdparanoia runs fine (AFAIK)
if you go set the permissions on the appropriate device correctly.
The basic solution that I've used on my own systems is to change the
ownership of the appropriate sg* and scd* devices to the audio group,
set the permissions to 0660, and then added myself (and anyone else
needing access on shared machines) to the "audio" group.

Granted, this isn't so simple for newbie users but it works without
running cdparanoia suid root, which would generally be considered a Bad
Thing.  Perhaps the right answer is a post install that figures out the
devices to use (via cdparanoia itself) and then asks who needs to be
able to run it.  That would be more work then I currently have time for,
but I would entertain any solution that was offered.

> -- System Information
> Debian Release: 2.2
> Kernel Version: Linux heathen 2.2.17-usb-trelos #1 Fri Aug 4 21:11:48 PDT 2000 i586 unknown
> Versions of the packages cdparanoia depends on:
> ii  libcdparanoia0      3a9.7-2             Shared libraries for cdparanoia (runtime lib)

I will be updating the package this week as I've received several bug
reports, including one about source dependencies and a couple that I've
been putting off for some time.  I'll be putting some info in
Readme.Debian about IDE/SCSI emulation, and I'll also note the solution
that I've suggested here.

Comments welcome.  I'm not subscribed to debian-devel so please Cc me on
any replies.

+---------------------- pgp key available -----------------------+
| Dale E. Martin | Clifton Labs, Inc. | Senior Computer Engineer |
| dmartin@clifton-labs.com    |    http://www.clifton-labs.com   |

To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: