Linux 2.6.8.1 requires changes to cdrecord (and probably every other CD/DVD writing app)

2004-08-16 Thread Andreas Metzler 
Hello,
May I point to
? Writing CDs
only works *as* root, SUID root is not enough. - I've been told that
Cdrecord needs to keep CAP_SYS_RAWIO.
 cu andreas


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Linux 2.6.8.1 requires changes to cdrecord (and probably every other CD/DVD writing app)

2004-08-16 Thread Joerg Schilling 
>From: Andreas Metzler <[EMAIL PROTECTED]>

>? Writing CDs
>only works *as* root, SUID root is not enough. - I've been told that

Everything looks very unspecific and hard to understand.

But if the statements in 
http://marc.theaimsgroup.com/?l=linux-kernel&m=109266532220718&w=2
are correct, then it seems that Linux starts to copy stupid old SCO 
technology :-(

I just convinced SCO that it is completely boneheaded to believe that
the kernel knows more about a drive than e.g. cdrecord in case the SCSI
commands are routed through generic SCSI transport.

About a year ago, it has been impossible to write DVDs on SCO UnixWare
because writing DVD did need commands not yet known by the kernel :-(

They cannot be serious if they really believe that they like to need
a SCSI command filter in the kernel.

http://marc.theaimsgroup.com/?l=linux-kernel&m=109264207926099&w=2

makes me believe that Linux-2.6.8 does not allow the MODE SENDE and/or
MODE SELECT command.

If this is true, then somenone in the Linux Kernel group need to get fired :-(
If there really is a differende between EUID root and UID root, then they
did not understand the POSIX security model: Rights are checked
against EUID and in case of a suid cdrecord, EUID is root.

However, in case that they tried to implement similar security enhancements as
Sun did starting with Solaris 9, then libscg would need the same modification
as it needed on Solaris (switching to/from root bracheting each SCSI command).

(On Solaris 9 you need to have EUID root while you send a SCSI command via USCSI).

I am sorry, but as this would not be a bug fix cdrtools, it is too late to make 
it into cdrtools-2.01-final.



>Cdrecord needs to keep CAP_SYS_RAWIO.

Could you explain this? It is not mentioned in the list if mails you send.

Jörg

-- 
 EMail:[EMAIL PROTECTED] (home) Jörg Schilling D-13353 Berlin
   [EMAIL PROTECTED](uni)  If you don't have iso-8859-1
   [EMAIL PROTECTED](work) chars I am J"org Schilling
 URL:  http://www.fokus.fraunhofer.de/usr/schilling ftp://ftp.berlios.de/pub/schily


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Linux 2.6.8.1 requires changes to cdrecord (and probably every other CD/DVD writing app)

2004-08-16 Thread Andreas Metzler 
On Mon, Aug 16, 2004 at 05:38:36PM +0200, Joerg Schilling wrote:
>From: Andreas Metzler <[EMAIL PROTECTED]>
> >? Writing CDs
> >only works *as* root, SUID root is not enough. - I've been told that
[...] 
> http://marc.theaimsgroup.com/?l=linux-kernel&m=109264207926099&w=2

> makes me believe that Linux-2.6.8 does not allow the MODE SENDE and/or
> MODE SELECT command.

Disclaimer: I have not looked at any code.

> If this is true, then somenone in the Linux Kernel group need to get
> fired :-( If there really is a differende between EUID root and UID
> root, then they did not understand the POSIX security model: Rights
> are checked against EUID and in case of a suid cdrecord, EUID is
> root.

I do not think that is the case, because it would break _lots_
of stuff, the problem seems to be that cdrecord drops privileges it
needs to access the hardware.

> However, in case that they tried to implement similar security
> enhancements as Sun did starting with Solaris 9, then libscg would
> need the same modification as it needed on Solaris (switching
> to/from root bracheting each SCSI command).

That sounds much more probable.

> (On Solaris 9 you need to have EUID root while you send a SCSI
> command via USCSI).
 
> I am sorry, but as this would not be a bug fix cdrtools, it is too
> late to make it into cdrtools-2.01-final.

I am not going to try to set release goals for you.
 
>> Cdrecord needs to keep CAP_SYS_RAWIO.
 
> Could you explain this? It is not mentioned in the list if mails you send.

Linux(iirc since 2.2) supports a finer grained permission model than
switching UID, POSIX capabilities[1]. Instead of "switching to/from
root bracketing each SCSI command" you'd simply retain the necessary
capability, CAP_SYS_RAWIO.
  cu andreas

[1] It is not part of IEEE Std 1003.1. I gather from
http://wt.xpilot.org/publications/posix.1e/ that the gremium has given
up on standardizing it.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Linux 2.6.8.1 requires changes to cdrecord (and probably every other CD/DVD writing app)

2004-08-16 Thread Joerg Schilling 
>From: Andreas Metzler <[EMAIL PROTECTED]>

>I do not think that is the case, because it would break _lots_
>of stuff, the problem seems to be that cdrecord drops privileges it
>needs to access the hardware.

Wrong: cdrtools handle privilleges the way you get highest security.
For this reason, cdrecord drops all privilleges as soon as possible if 
possible.

If Linux suddenly changes known behavior, this is a Linux kernel bug.

>> However, in case that they tried to implement similar security
>> enhancements as Sun did starting with Solaris 9, then libscg would
>> need the same modification as it needed on Solaris (switching
>> to/from root bracheting each SCSI command).

>That sounds much more probable.

If this is the case, then it is a fault of the Linux kernel designers.
They should have written a mail to the most important 'users'.
If they did, then cdrtools would have integrated a smooth migration path.

As they did not, it needs to be called a Linux kernel bu that should 
_immeduiately_ fixed.

If they then inform the important users, they may retry this change in 2-4 
months.

>>> Cdrecord needs to keep CAP_SYS_RAWIO.
> 
>> Could you explain this? It is not mentioned in the list if mails you send.

>Linux(iirc since 2.2) supports a finer grained permission model than
>switching UID, POSIX capabilities[1]. Instead of "switching to/from
>root bracketing each SCSI command" you'd simply retain the necessary
>capability, CAP_SYS_RAWIO.
>  cu andreas

If Linux has this, why is there no documentation?
Why is there no man pages for the Linux Kernel at all?

I spend a lot of my time documenting what I did.

If the Linux Kernel people would start to document their hacks, they would get a
chance to understand what they did and could even understand what interfaces 
are. Knowing what an interface is helps to design interfaces in a way that keeps
them stable.


>[1] It is not part of IEEE Std 1003.1. I gather from
>http://wt.xpilot.org/publications/posix.1e/ that the gremium has given
>up on standardizing it.

I don't see anything but ACLs here.

Solaris 10 has a clean documentation for getppriv(2)/setppriv(2)

http://docs.sun.com/db/doc/816-5167/6mbb2jaeu?a=expand

Fine grained privs make sense as they allow e.g. star on Solaris 10 to
run backups without the need to be root.

There are privs to mount a fs, to read all local files and to keep the atime.

Jörg

-- 
 EMail:[EMAIL PROTECTED] (home) Jörg Schilling D-13353 Berlin
   [EMAIL PROTECTED](uni)  If you don't have iso-8859-1
   [EMAIL PROTECTED](work) chars I am J"org Schilling
 URL:  http://www.fokus.fraunhofer.de/usr/schilling ftp://ftp.berlios.de/pub/schily


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Linux 2.6.8.1 requires changes to cdrecord (and probably every other CD/DVD writing app)

2004-08-16 Thread Ambrose Li 
On Tue, Aug 17, 2004 at 01:13:23AM +0200, Joerg Schilling wrote:

> >Linux(iirc since 2.2) supports a finer grained permission
> >model than switching UID, POSIX capabilities[1]. Instead of
> >"switching to/from root bracketing each SCSI command" you'd
> >simply retain the necessary capability, CAP_SYS_RAWIO. cu
> >andreas
>
> If Linux has this, why is there no documentation?  Why is
> there no man pages for the Linux Kernel at all?

There indeed is documentation (and man pages). Even I (not
a developer of any kind to speak of) remember the original
announcement (that capabilities have been implemented).

The man pages are capget(2), capset(2), and capabilities(7).

The capget(2) man page is dated 1999 and refers to
ftp://ftp.kernel.org/pub/linux/libs/security/linux-privs
which is still valid.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Linux 2.6.8.1 requires changes to cdrecord (and probably every other CD/DVD writing app)

2004-08-17 Thread Andreas Metzler 
On 2004-08-17 Joerg Schilling <[EMAIL PROTECTED]> wrote:
> From: Andreas Metzler <[EMAIL PROTECTED]>
[...]
> >Linux(iirc since 2.2) supports a finer grained permission model than
> >switching UID, POSIX capabilities[1]. Instead of "switching to/from
> >root bracketing each SCSI command" you'd simply retain the necessary
> >capability, CAP_SYS_RAWIO.
[...]
> >[1] It is not part of IEEE Std 1003.1. I gather from
> >http://wt.xpilot.org/publications/posix.1e/ that the gremium has given
> >up on standardizing it.

> I don't see anything but ACLs here.
[...]

http://wt.xpilot.org/publications/posix.1e/download.html
http://wt.xpilot.org/publications/posix.1e/download/Posix_1003.1e-990310.ps.bz2



Section 25: Capabilities

ftp://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.2/capfaq-0.2.txt

The prefered interface to setting capabilities seems to be through
libcap, which provides .
   cu andreas
-- 
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]