Re: Bug#71237: cdparanoia: cannot use cdparanoia 'out of the box' as a non-root user.
On Mon, 11 Sep 2000, Dale E. Martin wrote:
> > Basically, cdparanoia requires use of 'scsi-generic' (/dev/sg*) when
> > reading from SCSI cdrom drives. /dev/sg device nodes are created with
> > root.root ownership and mode 0600.
> Which is correct - you definitely want tight access on your devices.
> > As relaxing permissions in general on /dev/sg* would create more of a
> > potential security risk for SCSI-based systems, and there is no
> > constant mapping between [/dev/scd*] and [/dev/sg*], cdparanoia should
> > be made suid root and should drop root privelages after determining
> > which /dev/sg* device to use and opening said device. Such checking
> > should also be made after a permission check of the /dev/scd* device.
> I'm not sure I agree with your solution. cdparanoia runs fine (AFAIK)
> if you go set the permissions on the appropriate device correctly.
> The basic solution that I've used on my own systems is to change the
> ownership of the appropriate sg* and scd* devices to the audio group,
> set the permissions to 0660, and then added myself (and anyone else
> needing access on shared machines) to the "audio" group.
The problem I have here is that the 'appropriate device' is not guarenteed
to stay constant with respect to the SCSI bus and ID, the way IDE devices
are for example. On my system (I believe this is actually the default)
scd devices are group audio, perm 0660, and my cdripper account is in the
Currently, I have two hard drives and two cdrom drives in this machine.
The hard drives are at IDs 0 and 1, and the cdrom drives are at IDs 5 and
Now I want to connect an external hard drive to my machine, so I have more
storage space for my music collection. I set this drive to ID 3.
Notice that now my external hard drive has access by audio group through
the generic device, and my second cdrom drive is no longer accessable by
the audio group.
Basically, cdparanoia and the installer scripts cannot depend on a fixed
mapping between the scd device and the sg device.
On the other hand, I believe this will be a moot point under devfs.
> Granted, this isn't so simple for newbie users but it works without
> running cdparanoia suid root, which would generally be considered a Bad
> Thing. Perhaps the right answer is a post install that figures out the
> devices to use (via cdparanoia itself) and then asks who needs to be
> able to run it. That would be more work then I currently have time for,
> but I would entertain any solution that was offered.
> > -- System Information
> > Debian Release: 2.2
> > Kernel Version: Linux heathen 2.2.17-usb-trelos #1 Fri Aug 4 21:11:48 PDT 2000 i586 unknown
> > Versions of the packages cdparanoia depends on:
> > ii libcdparanoia0 3a9.7-2 Shared libraries for cdparanoia (runtime lib)
> I will be updating the package this week as I've received several bug
> reports, including one about source dependencies and a couple that I've
> been putting off for some time. I'll be putting some info in
> Readme.Debian about IDE/SCSI emulation, and I'll also note the solution
> that I've suggested here.
> Comments welcome. I'm not subscribed to debian-devel so please Cc me on
> any replies.
> +---------------------- pgp key available -----------------------+
> | Dale E. Martin | Clifton Labs, Inc. | Senior Computer Engineer |
> | email@example.com | http://www.clifton-labs.com |
> To UNSUBSCRIBE, email to firstname.lastname@example.org
> with a subject of "unsubscribe". Trouble? Contact email@example.com
To UNSUBSCRIBE, email to firstname.lastname@example.org
with a subject of "unsubscribe". Trouble? Contact email@example.com