1 |
Thus spake Duncan on Sun, Oct 24, 2004 at 04:30:58AM CDT |
2 |
> M. Edward Borasky posted <1098606984.29939.4.camel@6-allhosts>, excerpted |
3 |
> below, on Sun, 24 Oct 2004 01:36:25 -0700: |
4 |
> |
5 |
> > On Sat, 2004-10-23 at 21:36, Lindsay Haisley wrote: |
6 |
> >> I worked around my cdda2wav problem by using the paranoia lib |
7 |
> >> ("-paranoia" option to cdda2wav). Apparently the problem is in the |
8 |
> >> cdda2wav's routines. |
9 |
> >> |
10 |
> >> |
11 |
> > My problems are more fundamental than that. "cdrecord" isn't functioning |
12 |
> > with 2.6.8 and 2.6.9 kernels. I just backed out "cdrecord-prodvd", since I |
13 |
> > don't have a DVD writer, and I've dropped back to a 2.4 kernel because |
14 |
> > "cdrecord" issues all sorts of warnings. |
15 |
> |
16 |
> Well, more accurately, it's functional, but there were potential security |
17 |
> issues (like the ability of any non-root person or task to erase entire |
18 |
> disks, just by issuing the correct SCSI command!) with some of the SCSI |
19 |
> commands used in CD/DVD burning. Over time, each command will have to be |
20 |
> gone over and added to a "safe" or "unsafe" list, and the kernel adjusted |
21 |
> accordingly. However, for the time being, whole classes of necessary |
22 |
> functions were restricted to root-only (*NOT* available from SETUID apps |
23 |
> like cdrecord and friends often are). |
24 |
> |
25 |
> Thus, one may choose to remain vulnerable to this and other security |
26 |
> problems, or one can choose to restrict burning to root for the time being. |
27 |
|
28 |
Since my desktop system is NATted to the world by a Linux firewall, and in a |
29 |
SOHO office, I have my personal account in the wheel group, which is set in |
30 |
sudoers as NOPASSWD: ALL, so I can run my CD burning stuff as root, no |
31 |
problem. |
32 |
|
33 |
> That's the stock kernel, which I BTW run. Some of the later Gentoo |
34 |
> kernels have been patched to return to earlier insecure functionality. |
35 |
> However, I haven't tracked which ones since I use a kernel.org kernel |
36 |
> anyway, procuring it directly off of there, rather than using a Gentoo |
37 |
> kernel ebuild. |
38 |
|
39 |
I posted my problem to the gentoo bug tracker, and there's been a bit of |
40 |
traffic on it. Seems there was an overhaul of SCSI in kernel 2.6.8 which |
41 |
may have caused the problem. I have 2.6.9, and when I get time (after Nov |
42 |
3rd or 4th) I'll try it and see if the problem is solved. |
43 |
|
44 |
-- |
45 |
Lindsay Haisley | "Fighting against human | PGP public key |
46 |
FMP Computer Services | creativity is like | available at |
47 |
512-259-1190 | trying to eradicate | <http://pubkeys.fmp.com> |
48 |
http://www.fmp.com | dandelions" | |
49 |
| (Pamela Jones) | |
50 |
|
51 |
-- |
52 |
gentoo-desktop@g.o mailing list |