| 1 |
On Friday 27 January 2012 20:28:04 Chí-Thanh Christopher Nguyễn wrote: |
| 2 |
> Mike Frysinger schrieb: |
| 3 |
> > along these lines, why is cdrtools set*id ? if we have a "cdrom" group, |
| 4 |
> > and we assign our cdroms/dvdroms to that group, then we already have |
| 5 |
> > access control in place and can skip the set*id. |
| 6 |
> |
| 7 |
> From the manpage, "In order to be able to use the SCSI transport |
| 8 |
> subsystem of the OS, run at highest priority and lock itself into core |
| 9 |
> cdrecord either needs to be run as root, needs to be installed suid root |
| 10 |
> or must be called via RBACs pfexec mechanism." |
| 11 |
> |
| 12 |
> I guess with the advent of burnfree technology, the priority and locking |
| 13 |
> into memory have become less important. |
| 14 |
|
| 15 |
yeah, i would think if your system is loaded enough for this to be an issue, |
| 16 |
it's going to be an issue anyways. but i'd image mlock/rtprio could be |
| 17 |
enabled via pam and security/limits.conf for the cdrom group. |
| 18 |
|
| 19 |
> The cdrom group will give access to /dev/sr* but not the associated |
| 20 |
> /dev/sg* |
| 21 |
|
| 22 |
yes, it does: |
| 23 |
$ find -L /dev/* -maxdepth 0 -gid 19 |
| 24 |
/dev/cdrom |
| 25 |
/dev/cdrw |
| 26 |
/dev/dvd |
| 27 |
/dev/dvdrw |
| 28 |
/dev/scd0 |
| 29 |
/dev/sg6 |
| 30 |
/dev/sr0 |
| 31 |
-mike |
Archives