Re: cdrdao / ide-scsi problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, Apr 03, 2003 at 08:35:02AM -0600, Nathan E Norman wrote: Shoot the maintainer of xcdroast an email asking him about the issue, or open a wishlist bug. Submitted wishlist bug against xcdroast. - -- .''`. Baloo Ursidae [EMAIL PROTECTED] : :' :proud Debian admin and user `. `'` `- Debian - when you have better things to do than fix a system -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+jVwmJ5vLSqVpK2kRAtYzAJ0cqOgtftC+sTLX1DLZZIeFCkDfdgCgtb5q bkNc7i8JZcK3zc+XS1gJhV8= =c9Pl -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cdrdao / ide-scsi problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, Apr 04, 2003 at 04:42:17AM +1000, bob parker wrote: Using a setuid root program (sudo) to avoid having cdrecord or cdrdao set up as setuid root just does not any sense to me at all. Well, sudo can be used as a means of authentication to limit it to just trusted users. But for CD burning, I don't see the point. - -- .''`. Baloo Ursidae [EMAIL PROTECTED] : :' :proud Debian admin and user `. `'` `- Debian - when you have better things to do than fix a system -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+jVyJJ5vLSqVpK2kRAsvrAJ41f3C/3fJ3vcxv6CFMYynCo3KYUwCfYN7O zNM/5vblR4RQJ4C2wMWESEg= =Rbwy -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cdrdao / ide-scsi problem
On Fri, 4 Apr 2003 20:20, Paul Johnson wrote: On Fri, Apr 04, 2003 at 04:42:17AM +1000, bob parker wrote: Using a setuid root program (sudo) to avoid having cdrecord or cdrdao set up as setuid root just does not any sense to me at all. Well, sudo can be used as a means of authentication to limit it to just trusted users. But for CD burning, I don't see the point. The point is that cdrdao requires root priveledge to run, period. So far as I can tell there is no difference in risk whether it gets root priveledge by being run with sudo, su root and run it, or being setuid root. To be sure you can can control access to the program using sudo, just as you can using group membership etc. Check the beginning of the thread to see how it got here. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cdrdao / ide-scsi problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, Apr 05, 2003 at 04:20:42AM +1000, bob parker wrote: The point is that cdrdao requires root priveledge to run, period No, I meant I don't understand why someone would protect cdrao with sudo... - -- .''`. Baloo Ursidae [EMAIL PROTECTED] : :' :proud Debian admin and user `. `'` `- Debian - when you have better things to do than fix a system -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+jimoJ5vLSqVpK2kRAga9AJkB4l1V0Uyopt5e4QTUlRI9a2zcLwCgj86y N1+RcORAbtUXdvcy/D5IUNg= =J39h -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cdrdao / ide-scsi problem
On Wed, Apr 02, 2003 at 08:41:29PM +0200, David Fokkema wrote: Well, you are right, so I tried, :-). It works, so there is reason to be glad. However, I'm still wondering how paranoid I must be to still want cdrdao to run without setuid. Furthermore, without setuid and with group permissions or something like that I should be able to control which users may use the writer and which may not. So I will use this until I find something better... Thanks for the help, Sudo is a solution. Qian -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cdrdao / ide-scsi problem
Well, you are right, so I tried, :-). It works, so there is reason to be glad. However, I'm still wondering how paranoid I must be to still want cdrdao to run without setuid. Furthermore, without setuid and with group permissions or something like that I should be able to control which users may use the writer and which may not. So I will use this until I find something better... Thanks for the help, Sudo is a solution. Well, that way a user that can run cdrdao can run basically everything, can't he? David -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cdrdao / ide-scsi problem
Here is the way Debian installs cdrecord -rws--x---1 root cdrom177k Apr 9 2002 /usr/bin/cdrecord The package I see in unstable installs as -rwsr-xr-- if you're running setuid, which is much more sensible (there's a comment in the Debian policy manual noting that there's no point making binaries unreadable since people can always just fetch them from the freely available packages). Cheers, -- Colin Watson [EMAIL PROTECTED] Yes, I have that now too. And false security is no security at all... David -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cdrdao / ide-scsi problem
On Wed, Apr 02, 2003 at 11:24:36PM -0800, Paul Johnson wrote: On Thu, Apr 03, 2003 at 03:32:43AM +1000, bob parker wrote: I'm no expert really, and maybe there is some other permissions problem going on, but I observe that with a default Debian Woody install that cdrecord is setuid. Afaik that is because it needs to lock some memory when it starts. I have to wonder why cdrecord, xcdroast, etc that depend on suid to work properly aren't set that way by default in sid. cdrecord asks the following debconf question: Template: cdrecord/SUID_bit Type: boolean Default: false Description: Do you want /usr/bin/cdrecord to be installed SUID root? You have the option of installing cdrecord with the SUID bit set. . If you make cdrecord SUID, you can allow users in the cdrom group to burn CD-ROMs without needing any additional privileges. This could, however, potentially allow cdrecord to be used during a security attack on your computer. If in doubt, I suggest you install it without SUID. If you later change your mind, you can run: dpkg-reconfigure cdrecord. -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cdrdao / ide-scsi problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, Apr 03, 2003 at 10:10:10AM +0100, Colin Watson wrote: cdrecord asks the following debconf question: OK, mybad. But xcdroast doesn't, and I never use cdrecord from the command line since xcdroast will do it all in one shot for me. - -- .''`. Baloo Ursidae [EMAIL PROTECTED] : :' :proud Debian admin and user `. `'` `- Debian - when you have better things to do than fix a system -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+jAfgJ5vLSqVpK2kRAnaqAJ9/KysqfGFG9dugmpEbrEciJn1f9wCfacQL v6Yy8vXzya71UTKxKQGSSv0= =RGFN -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cdrdao / ide-scsi problem
On Thu, Apr 03, 2003 at 10:23:59AM +0200, David Fokkema wrote: Well, you are right, so I tried, :-). It works, so there is reason to be glad. However, I'm still wondering how paranoid I must be to still want cdrdao to run without setuid. Furthermore, without setuid and with group permissions or something like that I should be able to control which users may use the writer and which may not. So I will use this until I find something better... Thanks for the help, Sudo is a solution. Well, that way a user that can run cdrdao can run basically everything, can't he? No. By sudo you can limit the user to run a specific program, even with specific options. Qian -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cdrdao / ide-scsi problem
Sudo is a solution. Well, that way a user that can run cdrdao can run basically everything, can't he? No. By sudo you can limit the user to run a specific program, even with specific options. In that case sudo might be worth looking into and I will do just that, :-) David -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cdrdao / ide-scsi problem
On Wed, Apr 02, 2003 at 11:24:36PM -0800, Paul Johnson wrote: On Thu, Apr 03, 2003 at 03:32:43AM +1000, bob parker wrote: I'm no expert really, and maybe there is some other permissions problem going on, but I observe that with a default Debian Woody install that cdrecord is setuid. Afaik that is because it needs to lock some memory when it starts. I have to wonder why cdrecord, xcdroast, etc that depend on suid to work properly aren't set that way by default in sid. Instead you have to su -m and run xcdroast as root to enable non-root configuration after pretty much any upgrade. Why there isn't an option to enable xcdroast non-root configuration during dpkg is beyond me. There is-- at there was the last time I updated testing. Debconfig offers you a choice. -- .''`. Baloo Ursidae [EMAIL PROTECTED] : :' :proud Debian admin and user `. `'` `- Debian - when you have better things to do than fix a system -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Cheers, russ. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cdrdao / ide-scsi problem
On Thu, Apr 03, 2003 at 02:07:28AM -0800, Paul Johnson wrote: On Thu, Apr 03, 2003 at 10:10:10AM +0100, Colin Watson wrote: cdrecord asks the following debconf question: OK, mybad. But xcdroast doesn't, and I never use cdrecord from the command line since xcdroast will do it all in one shot for me. Shoot the maintainer of xcdroast an email asking him about the issue, or open a wishlist bug. -- Nathan Norman - Incanus Networking mailto:[EMAIL PROTECTED] Tell me and I'll forget; show me and I may remember; involve me and I'll understand. -- Chinese Proverb pgp0.pgp Description: PGP signature
Re: cdrdao / ide-scsi problem
Nathan E Norman wrote: On Thu, Apr 03, 2003 at 02:07:28AM -0800, Paul Johnson wrote: On Thu, Apr 03, 2003 at 10:10:10AM +0100, Colin Watson wrote: cdrecord asks the following debconf question: OK, mybad. But xcdroast doesn't, and I never use cdrecord from the command line since xcdroast will do it all in one shot for me. Shoot the maintainer of xcdroast an email asking him about the issue, or open a wishlist bug. Hi when you install xcdroast, logged into X as root, it does this the first time you start the app.: /bin/chown root /usr/lib/xcdroast/bin/xcdrwrap /bin/chgrp cdrom /usr/lib/xcdroast/bin/xcdrwrap /bin/chmod 2755 /usr/lib/xcdroast/bin/xcdrwrap /bin/chown root /usr/bin/cdrecord /bin/chgrp cdrom /usr/bin/cdrecord /bin/chmod 4710 /usr/bin/cdrecord /bin/chown root /usr/bin/mkisofs /bin/chgrp cdrom /usr/bin/mkisofs /bin/chmod 4710 /usr/bin/mkisofs /bin/chown root /usr/bin/readcd /bin/chgrp cdrom /usr/bin/readcd /bin/chmod 4710 /usr/bin/readcd /bin/chown root /usr/bin/cdda2wav /bin/chgrp cdrom /usr/bin/cdda2wav /bin/chmod 4710 /usr/bin/cdda2wav This is from the last time I installed xderoast. I' running unstable with xcdroast 0.98+0alpha13-2 Work's like charm for all users, Windowmaker and KDE. -- /ernst -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cdrdao / ide-scsi problem
On Thu, 3 Apr 2003 20:59, Qian Gong wrote: Sudo is a solution. Well, that way a user that can run cdrdao can run basically everything, can't he? No. By sudo you can limit the user to run a specific program, even with specific options. sudo is a setuid program, it needs to be to do it's job. If you use it to run a rogue program that is going to do some damage then the damage will be done whether that program is setuid root, whether you sudo it, or whether you su and then run it as root. Using a setuid root program (sudo) to avoid having cdrecord or cdrdao set up as setuid root just does not any sense to me at all. If you have a trojanned version of cdrdao it will do its damage when you run it with root's priveledges however you do it. And if you do not run it with root's priveledges it will not run at all. The question is really whether you have obtained your copy of cdrdao from a trusted source or not. Or so it seems to me. Regards to all Bob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cdrdao / ide-scsi problem
On Wed, 2 Apr 2003 16:56, David Fokkema wrote: I think you might need to setuid cdrdao hth Bob If there is any other way, I'd rather not do that, :-) I'm no expert really, and maybe there is some other permissions problem going on, but I observe that with a default Debian Woody install that cdrecord is setuid. Afaik that is because it needs to lock some memory when it starts. I'm guessing that cdrdao might have the same need. There are of course very serious objections to setuid on a script but a compiled program is a different matter. Why not try it? You can always remove the flag immediately afterward. Bob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cdrdao / ide-scsi problem
I think you might need to setuid cdrdao hth Bob If there is any other way, I'd rather not do that, :-) I'm no expert really, and maybe there is some other permissions problem going on, but I observe that with a default Debian Woody install that cdrecord is setuid. Afaik that is because it needs to lock some memory when it starts. I'm guessing that cdrdao might have the same need. There are of course very serious objections to setuid on a script but a compiled program is a different matter. Why not try it? You can always remove the flag immediately afterward. Bob Well, you are right, so I tried, :-). It works, so there is reason to be glad. However, I'm still wondering how paranoid I must be to still want cdrdao to run without setuid. Furthermore, without setuid and with group permissions or something like that I should be able to control which users may use the writer and which may not. So I will use this until I find something better... Thanks for the help, David -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cdrdao / ide-scsi problem
On Thu, 3 Apr 2003 04:22, David Fokkema wrote: Well, you are right, so I tried, :-). It works, so there is reason to be glad. However, I'm still wondering how paranoid I must be to still want cdrdao to run without setuid. Furthermore, without setuid and with group permissions or something like that I should be able to control which users may use the writer and which may not. So I will use this until I find something better... David, Here is the way Debian installs cdrecord -rws--x---1 root cdrom177k Apr 9 2002 /usr/bin/cdrecord I am the only user on my system that belongs to the cdrom group, so I am the only non root user who can burn cds. You can set the same permissions for cdrdao, and the same owner and group. The easy way, check out the --reference option in man chmod. Then you have complete control over who can and who can not use cdrdao as well as cdreord. Bob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cdrdao / ide-scsi problem
Well, you are right, so I tried, :-). It works, so there is reason to be glad. However, I'm still wondering how paranoid I must be to still want cdrdao to run without setuid. Furthermore, without setuid and with group permissions or something like that I should be able to control which users may use the writer and which may not. So I will use this until I find something better... David, Here is the way Debian installs cdrecord -rws--x---1 root cdrom177k Apr 9 2002 /usr/bin/cdrecord I am the only user on my system that belongs to the cdrom group, so I am the only non root user who can burn cds. You can set the same permissions for cdrdao, and the same owner and group. The easy way, check out the --reference option in man chmod. Then you have complete control over who can and who can not use cdrdao as well as cdreord. Bob Ah, yes, sigh. Why couldn't I think of that... I'm going to change it right away, ;-) Thank you for you help! David -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cdrdao / ide-scsi problem
On Thu, Apr 03, 2003 at 05:17:45AM +1000, bob parker wrote: On Thu, 3 Apr 2003 04:22, David Fokkema wrote: Well, you are right, so I tried, :-). It works, so there is reason to be glad. However, I'm still wondering how paranoid I must be to still want cdrdao to run without setuid. Furthermore, without setuid and with group permissions or something like that I should be able to control which users may use the writer and which may not. So I will use this until I find something better... David, Here is the way Debian installs cdrecord -rws--x---1 root cdrom177k Apr 9 2002 /usr/bin/cdrecord The package I see in unstable installs as -rwsr-xr-- if you're running setuid, which is much more sensible (there's a comment in the Debian policy manual noting that there's no point making binaries unreadable since people can always just fetch them from the freely available packages). Cheers, -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cdrdao / ide-scsi problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, Apr 03, 2003 at 03:32:43AM +1000, bob parker wrote: I'm no expert really, and maybe there is some other permissions problem going on, but I observe that with a default Debian Woody install that cdrecord is setuid. Afaik that is because it needs to lock some memory when it starts. I have to wonder why cdrecord, xcdroast, etc that depend on suid to work properly aren't set that way by default in sid. Instead you have to su -m and run xcdroast as root to enable non-root configuration after pretty much any upgrade. Why there isn't an option to enable xcdroast non-root configuration during dpkg is beyond me. - -- .''`. Baloo Ursidae [EMAIL PROTECTED] : :' :proud Debian admin and user `. `'` `- Debian - when you have better things to do than fix a system -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+i+G0J5vLSqVpK2kRAnyvAKDdSixmTPkCWgGYgoYfdkT0F2CElgCgpVt5 y49YaUwf4vWatrMrN6U0VNg= =nWtA -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
cdrdao / ide-scsi problem
Hi, I recompiled cdrdao for stable and installed it on my server and I want to be able to use it as a regular user. Now, cdrdao scanbus should list all devices. As root, everything is ok, two IDE devices show up as normal, everything works fine. The problem is that I don't get it to work for a regular user. I tried: chown root:cdrom /dev/sg0 chown root:cdrecorder /dev/sg1 (created the group) chmod g+r sg0 chmod g+rw sg1 usermod -G dfokkema,cdrom,cdrecorder dfokkema I quit ssh and restarted it, and cdrdao scanbus gives nothing. No error, no lists, nothing. What should I do? David -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cdrdao / ide-scsi problem
On Wed, 2 Apr 2003 03:07, David Fokkema wrote: Hi, I recompiled cdrdao for stable and installed it on my server and I want to be able to use it as a regular user. Now, cdrdao scanbus should list all devices. As root, everything is ok, two IDE devices show up as normal, everything works fine. The problem is that I don't get it to work for a regular user. I tried: chown root:cdrom /dev/sg0 chown root:cdrecorder /dev/sg1 (created the group) chmod g+r sg0 chmod g+rw sg1 usermod -G dfokkema,cdrom,cdrecorder dfokkema I quit ssh and restarted it, and cdrdao scanbus gives nothing. No error, no lists, nothing. What should I do? David I think you might need to setuid cdrdao hth Bob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cdrdao / ide-scsi problem
Hi, I recompiled cdrdao for stable and installed it on my server and I want to be able to use it as a regular user. Now, cdrdao scanbus should list all devices. As root, everything is ok, two IDE devices show up as normal, everything works fine. The problem is that I don't get it to work for a regular user. I tried: chown root:cdrom /dev/sg0 chown root:cdrecorder /dev/sg1 (created the group) chmod g+r sg0 chmod g+rw sg1 usermod -G dfokkema,cdrom,cdrecorder dfokkema I quit ssh and restarted it, and cdrdao scanbus gives nothing. No error, no lists, nothing. What should I do? David I think you might need to setuid cdrdao hth Bob If there is any other way, I'd rather not do that, :-) David -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]