So sprach Thierry Vignaud am Thu, Apr 05, 2001 at 05:24:57PM +0200:
> to enable some users and not some others to use it by specifying who
> is in this group.
> and to let these users having access to the required devices (/dev/sg*,
> /dev/scd*, /dev/pg*, and /dev/pcd* [the /dev/p* devices are for parallel
> writers])..
But why should not anyone be able to create an iso image? mkisofs doesn't
do anything remotely harmful (besides writing an awful lot of data - but if
the user has the space, why not?).
mkisofs doesn't need any of the devices you've just listed. Your comment
holds certainly true for cdrecord, and to some extent also for cdda2wav -
but in no way for mkisofs.
> As for cdrecord, it MUST be SUID root because it locks itself in
I don't care about cdrecord - because you are exactly right about what you
write.
> root suid (or guid) binaries are very, very _bad_.
> better giving accesse to a sub-system than to the whole system in case
> of security hole.
Yes, of course - but if a user has enough free space, he could also fill it
with dd if=/dev/zero of=BANG - how is that ANY different than mkisofs?
Alexander Skwar
--
How to quote: http://learn.to/quote (german) http://quote.6x.to (english)
Homepage: http://www.digitalprojects.com | http://www.iso-top.de
iso-top.de - Die guenstige Art an Linux Distributionen zu kommen
Uptime: 1 day 23 hours 56 minutes
