Re: cdrecord wihout SUID

To: debian-user@lists.debian.org
Subject: Re: cdrecord wihout SUID
From: "Dwayne C. Litzenberger" <dlitz@dlitz.net>
Date: Tue, 8 Aug 2006 16:55:54 -0600
Message-id: <[🔎] 20060808225554.GA15694@rivest.dlitz.net>
Mail-followup-to: dlitz@dlitz.net, debian-user@lists.debian.org
In-reply-to: <[🔎] 44D8C097.6070901@cox.net>
References: <[🔎] 44D68A47.7060509@cox.net> <[🔎] rnfiq3-jnv.ln1@chelcicky.vysocina> <[🔎] 44D788D2.4050905@cox.net> <[🔎] slrnedg0aj.sku.keeling@heretic.spots.ab.ca> <[🔎] 44D8BA8F.5000003@cox.net> <[🔎] 44D8C097.6070901@cox.net>

On Tue, Aug 08, 2006 at 12:49:27PM -0400, José Alburquerque wrote:

The setuid-root sollution (give only the group executable rights, make itsuid root), please note that this is a security risk - you have beenwarned):
1) create a group and add users as above
2) remove world executable from cdrecord ("chmod o-x /usr/bin/cdrecord")
3) make cdrecord setuid root ("chown root /usr/bin/cdrecord; chmod u+s/usr/bin/cdrecord")4) make the group of cdrecord the newly created group ("chgrp cdburn/usr/bin/cdrecord")Now, only users in the cdburn group can execute cdrecord, and it will beexecuted with root priviligies.

Don't forget to use dpkg-statoverride to set the permissions. Otherwise,the permissions will revert when up upgrade the cdrecord package.

Also be CAREFUL. On my system, /usr/bin/cdrecord is a SHELL SCRIPT, andSUID-root shell scripts are a big security hole, IIRC. You probably wantto set the permissions on /usr/bin/cdrecord.mmap.


--
Dwayne C. Litzenberger <dlitz@dlitz.net>

Reply to:

Follow-Ups:
- Re: cdrecord wihout SUID
  - From: "David E. Fox" <dfox@m206-157.dsl.tsoft.com>

References:
- cdrecord wihout SUID
  - From: José Alburquerque <jaalburquerque@cox.net>
- Re: cdrecord wihout SUID
  - From: Matej Cepl <ceplm@seznam.cz>
- Re: cdrecord wihout SUID
  - From: José Alburquerque <jaalburquerque@cox.net>
- Re: cdrecord wihout SUID
  - From: "s. keeling" <keeling@spots.ab.ca>
- Re: cdrecord wihout SUID
  - From: José Alburquerque <jaalburquerque@cox.net>
- Re: cdrecord wihout SUID
  - From: José Alburquerque <jaalburquerque@cox.net>

Prev by Date: Cyrus, Spamassassin, and Postfix on Debian Integration
Next by Date: /dev/cdrom and /dev/cdrw both point to the writer
Previous by thread: Re: cdrecord wihout SUID
Next by thread: Re: cdrecord wihout SUID
Index(es):
- Date
- Thread