Thierry Vignaud wrote:
Essantially making mkisofs a+rx is no harm whatsoever.
I create .iso's the get written using another machine, the
machine I create the .iso's on does not have a CD writer,
and I would prefer to be able to create .iso's as me,
they still end up group owned by cdwriter.
> Alexander Skwar <[EMAIL PROTECTED]> writes:
>
>> [askwar@teich RPM]$ which mkisofs
>> /usr/bin/mkisofs
>> [askwar@teich RPM]$ ls -la $(which mkisofs)
>> -rwxr-s--- 2 root cdwriter 323036 Mär 2 12:25 /usr/bin/mkisofs*
>> [askwar@teich RPM]$ rpm -qf $(which mkisofs )
>> mkisofs-1.13-5mdk
>>
>> That is, why is mkisofs not executable by anyone?
>
>
> it's executable by everyone in cdwriter group. Whether normal users
> are in this group vary with security level.
>
>> What harm can possibly be done by running mkisofs?
>
>
> see later
>
>> And also, what is it set gid for?
>
>
> to enable some users and not some others to use it by specifying who
> is in this group.
> and to let these users having access to the required devices (/dev/sg*,
> /dev/scd*, /dev/pg*, and /dev/pcd* [the /dev/p* devices are for parallel
> writers])..
> As for cdrecord, it MUST be SUID root because it locks itself in
> memory which can only be done with root rights (see "man
> cdrecord").
> cdda2wav has some real time features and to support them it is SUID
> root, too.
> So we make all these utilities be root.cdwriter owned and use goup
> membership to offer security.
>
>> And last, why is it owned by group cdwriter, and not group root,
>> like about anything else?
>
>
> root suid (or guid) binaries are very, very _bad_.
> better giving accesse to a sub-system than to the whole system in case
> of security hole.
>
--
John Allen, Email: mailto:[EMAIL PROTECTED]
Orbiscom Ltd, Web: http://www.orbiscom.com/
3 Sandyford Park, Direct: +353-1-2178610
Sandyford Industrial Estate, Office: +353-86-2315986
Dublin 18. Fax: +353-1-2945119
**********************************************************************
The information contained in this message is confidential and
is intended for the addressee(s) only. If you have received
this message in error or there are any problems please notify
the originator immediately. The unauthorised use, disclosure,
copying or alteration of this message is strictly forbidden. This
message and any attachments have been scanned for viruses.
Orbiscom Ltd. will not be liable for direct, special, indirect or
consequential damages arising from alteration of the contents
of this message by a third party or as a result of any virus being
passed on.
www.Orbiscom.com
**************************************
