Re: trixie: cdrecord can no longer write to CD
Hi,
D. R. Evans wrote:
> > The actual solution:
> > sudo chmod 4711 /usr/bin/wodim; sudo chmod 4711 /usr/bin/cdrdao
Michael Paoli wrote:
> That's an incredibly bad idea. Setting programs to be SUID and/or
> SGID when they weren't intended to be set and run so, typically opens
> up major security vulnerabilities.
While i agree that setuid root for wodim (or cdrecord) is an
undesirable situation, i have to point out that cdrecord was developed
under the assumption to run with superuser powers and that wodim never
gave indications to have abandoned this assumption.
man cdrecord of version 1.6 (i.e. before wodim was forked) says in
section NOTES:
-----------------------------------------------------------------------
Cdrecord needs
to run as root to get access to the /dev/scg? device nodes and to be
able to lock itself into memory.
If you don't want to allow users to become root on your system,
cdrecord may safely be installed suid root. This allows all users or a
group of users with no root privileges to use cdrecord. Cdrecord in
this case checks, if the real user would have been able to read the
specified files. To give all user access to use cdrecord, enter:
chmod 4711 /usr/local/bin/cdrecord
-----------------------------------------------------------------------
In version cdrtools-3.02 there is a justification early in the page:
-----------------------------------------------------------------------
Constraints for running cdrecord
[...]
In order to be able to use the SCSI transport subsystem of the OS, run
at highest priority and lock itself into core cdrecord either needs to
be run as root, needs to be installed suid root or must be called via a
fine grained privileges mechanism, such as the Solaris privileges(5)
mechanism via exec_attr(4) or the Linux capabilities(7) mechanism via
setcap(8) to allow cdrecord to be used as an ordinary user.
-----------------------------------------------------------------------
Above NOTES paragraph of version 1.6 still is in 3.02.
https://manpages.debian.org/trixie/wodim/wodim.1.en.html
says early in the page
-----------------------------------------------------------------------
In any case, the user running wodim needs read and write access to
the particular device file on a Linux system. It is recommended to be
root or install the application as suid-root, because certain
versions of Linux (kernel) limit the set of SCSI commands allowed for
non-root users. Even if usage without root identity is possible in
many cases, some device drivers still may fail, show unexplainable
problems and generally the problems become harder to debug. The risk
for buffer-underruns is also increased.
-----------------------------------------------------------------------
In the NOTES sections are still some of the sentences from man
cdrecord.
(I strongly disagree with most of the justifications given in the man
pages. Buffer underrun is no problem since year 2000 because of
"burn-free" and of the 3000 MHz 64-bit multi-core i/o monsters with
NVME disks which replaced the 100 MHz single-core Pentiums with PATA
disks and ATAPI CD burners.
Proposing to use root power when unexplainable failures occur is a
capitulation in the face of the bug.)
Have a nice day :)
Thomas
Reply to: