[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: cdrecord wihout SUID



José Alburquerque wrote:

s. keeling wrote:

Very odd, on both of you.

(0) heretic /home/keeling_ all `which cdrecord`
-rwxr-xr-x  1 root root 133 2005-01-09 09:55 /usr/bin/cdrecord*

No SUID needed.

(0) heretic /home/keeling_ id
uid=1000(keeling) gid=1000(keeling)
groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),50(staff),1000(keeling)

I'm running Sarge/stable, Kernel 2.6.8-3-686.  I've no problem burning
CDs as user keeling:

(0) heretic /home/keeling_ cdrecord dev=/dev/hdd -eject -tao \
      -data xubuntu-6.06-desktop-i386.iso

Works fine (cdrecord, I mean; not xubuntu :-P ).

I'm not sure, but I believe it has to do with the kernel versions as Mumia posted. You're running 2.6.8-3, but I'm running 2.6.16-2 on an etch (testing) system. Oh well, I guess I'll probably end up using sudo (it does seem like a good solution!).


BTW, this link (http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2004-09/0188.html) explains somewhat why cdrecord insists on SUID to function, but another solution (found in the gcombust faq) would be the "safer" suid solution below (though I'm still leaning towards sudo):

There are two reasons for running cdrecord with root priviligies; 1) real time priority and 2) locking the buffers (so they can't get swapped out). cdrecord can be run without root privligies, but it increases the chance of a buffer underrun. cdrecord also needs read/write access to the cdr-device (for making multisession cd:s mkisofs also needs read access to the device). Please understand that making cdrecord suid root is a security risk.

First, the non-root sollution (this should be quite safe, but I'm no scsi guru, you are granting write access to a scsi device..):

1) create a group for user who should be allowed to burn ("addgroup cdburn")
2) add user to this group ("adduser joedoe cdburn")
3) change the group owner of the device to cdburn, and give it group read/wright rights ("chgrp cdburn /dev/scd0; chmod g+rw")

The setuid-root sollution (give only the group executable rights, make it suid root), please note that this is a security risk - you have been warned):

1) create a group and add users as above
2) remove world executable from cdrecord ("chmod o-x /usr/bin/cdrecord")
3) make cdrecord setuid root ("chown root /usr/bin/cdrecord; chmod u+s /usr/bin/cdrecord") 4) make the group of cdrecord the newly created group ("chgrp cdburn /usr/bin/cdrecord") Now, only users in the cdburn group can execute cdrecord, and it will be executed with root priviligies.

For mkisofs, it should be enough to give the users read right to the cdr device (needed for multisession).



Reply to: