1 |
On Friday 27 January 2012 20:28:04 Chí-Thanh Christopher Nguyễn wrote: |
2 |
> Mike Frysinger schrieb: |
3 |
> > along these lines, why is cdrtools set*id ? if we have a "cdrom" group, |
4 |
> > and we assign our cdroms/dvdroms to that group, then we already have |
5 |
> > access control in place and can skip the set*id. |
6 |
> |
7 |
> From the manpage, "In order to be able to use the SCSI transport |
8 |
> subsystem of the OS, run at highest priority and lock itself into core |
9 |
> cdrecord either needs to be run as root, needs to be installed suid root |
10 |
> or must be called via RBACs pfexec mechanism." |
11 |
> |
12 |
> I guess with the advent of burnfree technology, the priority and locking |
13 |
> into memory have become less important. |
14 |
|
15 |
yeah, i would think if your system is loaded enough for this to be an issue, |
16 |
it's going to be an issue anyways. but i'd image mlock/rtprio could be |
17 |
enabled via pam and security/limits.conf for the cdrom group. |
18 |
|
19 |
> The cdrom group will give access to /dev/sr* but not the associated |
20 |
> /dev/sg* |
21 |
|
22 |
yes, it does: |
23 |
$ find -L /dev/* -maxdepth 0 -gid 19 |
24 |
/dev/cdrom |
25 |
/dev/cdrw |
26 |
/dev/dvd |
27 |
/dev/dvdrw |
28 |
/dev/scd0 |
29 |
/dev/sg6 |
30 |
/dev/sr0 |
31 |
-mike |