| 1 |
Thus spake Duncan on Sun, Oct 24, 2004 at 04:30:58AM CDT |
| 2 |
> M. Edward Borasky posted <1098606984.29939.4.camel@6-allhosts>, excerpted |
| 3 |
> below, on Sun, 24 Oct 2004 01:36:25 -0700: |
| 4 |
> |
| 5 |
> > On Sat, 2004-10-23 at 21:36, Lindsay Haisley wrote: |
| 6 |
> >> I worked around my cdda2wav problem by using the paranoia lib |
| 7 |
> >> ("-paranoia" option to cdda2wav). Apparently the problem is in the |
| 8 |
> >> cdda2wav's routines. |
| 9 |
> >> |
| 10 |
> >> |
| 11 |
> > My problems are more fundamental than that. "cdrecord" isn't functioning |
| 12 |
> > with 2.6.8 and 2.6.9 kernels. I just backed out "cdrecord-prodvd", since I |
| 13 |
> > don't have a DVD writer, and I've dropped back to a 2.4 kernel because |
| 14 |
> > "cdrecord" issues all sorts of warnings. |
| 15 |
> |
| 16 |
> Well, more accurately, it's functional, but there were potential security |
| 17 |
> issues (like the ability of any non-root person or task to erase entire |
| 18 |
> disks, just by issuing the correct SCSI command!) with some of the SCSI |
| 19 |
> commands used in CD/DVD burning. Over time, each command will have to be |
| 20 |
> gone over and added to a "safe" or "unsafe" list, and the kernel adjusted |
| 21 |
> accordingly. However, for the time being, whole classes of necessary |
| 22 |
> functions were restricted to root-only (*NOT* available from SETUID apps |
| 23 |
> like cdrecord and friends often are). |
| 24 |
> |
| 25 |
> Thus, one may choose to remain vulnerable to this and other security |
| 26 |
> problems, or one can choose to restrict burning to root for the time being. |
| 27 |
|
| 28 |
Since my desktop system is NATted to the world by a Linux firewall, and in a |
| 29 |
SOHO office, I have my personal account in the wheel group, which is set in |
| 30 |
sudoers as NOPASSWD: ALL, so I can run my CD burning stuff as root, no |
| 31 |
problem. |
| 32 |
|
| 33 |
> That's the stock kernel, which I BTW run. Some of the later Gentoo |
| 34 |
> kernels have been patched to return to earlier insecure functionality. |
| 35 |
> However, I haven't tracked which ones since I use a kernel.org kernel |
| 36 |
> anyway, procuring it directly off of there, rather than using a Gentoo |
| 37 |
> kernel ebuild. |
| 38 |
|
| 39 |
I posted my problem to the gentoo bug tracker, and there's been a bit of |
| 40 |
traffic on it. Seems there was an overhaul of SCSI in kernel 2.6.8 which |
| 41 |
may have caused the problem. I have 2.6.9, and when I get time (after Nov |
| 42 |
3rd or 4th) I'll try it and see if the problem is solved. |
| 43 |
|
| 44 |
-- |
| 45 |
Lindsay Haisley | "Fighting against human | PGP public key |
| 46 |
FMP Computer Services | creativity is like | available at |
| 47 |
512-259-1190 | trying to eradicate | <http://pubkeys.fmp.com> |
| 48 |
http://www.fmp.com | dandelions" | |
| 49 |
| (Pamela Jones) | |
| 50 |
|
| 51 |
-- |
| 52 |
gentoo-desktop@g.o mailing list |
Archives