John/Darren/Danek: I think it makes more sense to resolve these issues in the LSARC 2009/201 Brasero case. The need for totem, rhythmbox, and sound- juicer to make any changes to exec_attr are caused by the need to link in the libbrasero-burn library provided by LSARC 2009/201. So, this case depends on that case and will obviously be impacted by any decisions made in the LSARC 2009/201 case. I recommend that totem, rhythmbox, and sound-juicer just follow whatever decisions are made for the brasero case.
I went ahead and summarized all of your questions about this case in an email in the LSARC 2009/201 thread. I know Lin Ma did more research on how the security-related changes, so I think he should probably answer in that case. I will be happy to update this case based on any decisions made in the LSARC 2009/201 case, and I will highlight my changes by sending emails to this list showing the differences. Brian > The Brasero case (LSARC/2009/201) is still open. So these > issues can be addressed by both Brian (LSARC/2009/202) and > Lin Ma (LSARC/2009/201). > > Thanks, > > John > > Darren J Moffat wrote: >> Brian Cameron wrote: >>> So, much like brasero, the following lines will be added to exec_attr(4) >>> to support this: >>> >>> Desktop CD User:solaris:cmd:::/usr/bin/rhythmbox.bin:privs=sys_devices >>> Desktop CD >>> User:solaris:cmd:::/usr/bin/sound-juicer.bin:privs=sys_devices >>> Desktop CD User:solaris:cmd:::/usr/bin/totem.bin:privs=sys_devices >> >> How does this work on Linux kernel based systems ? How do these >> programs get access to the devices ? >> >> Given what these programs do I suspect what what is really wanted is >> read and sometimes write access to the CD/DVD device nodes. >> >> Running them with sys_devices to over come that feels really wrong. >> Particularly given that "Desktop CD User" is ultimately being added to >> "Console User". >> >> Can't we instead use logindevperm so that the CD/DVD devices are made >> available with suitable unix permissions - just like we already do for >> USB removable-media devices, generic usb devices, video devices etc. >> >> While there exists precedent for this hack I really don't like it and >> having it proliferated further isn't a good idea. >> >> Sorry I didn't bring this up in the previous brasero case. >> >> -- >> Darren J Moffat
