1 |
Nikos Chantziaras <realnc@×××××.com> wrote: |
2 |
|
3 |
> > This may be an option for things that really are optional. |
4 |
> > |
5 |
> > Libcap however is not something optional but needed to support a basic security |
6 |
> > feature. |
7 |
> |
8 |
> I thought it is optional, since it was mentioned that cdrtools can be |
9 |
> built and ran without it? |
10 |
|
11 |
If you call something that is needed in order to prevent security holes |
12 |
"optional", you may call it optional. |
13 |
|
14 |
|
15 |
> Unless you mean "recommended" instead of "required." "Recommended" |
16 |
> means it's still optional. |
17 |
|
18 |
Is something to grant security optional or required? |
19 |
|
20 |
|
21 |
> > As mentioned above, we are talking about a library to support basic security |
22 |
> > features, so the code from that library would really belong into libc. Since |
23 |
> > Linux now by default supports fcaps in the filesystems, cdrecord would open |
24 |
> > a security hole if the library was not used - without that library, cdrecord |
25 |
> > cannot even see that is has been called with additional privileges that need |
26 |
> > to be removed before the main code is executed. |
27 |
> > |
28 |
> > Do you really like to go into a security risk with your eyes open? |
29 |
> |
30 |
> You don't know what my intentions are. I might be doing testing, |
31 |
> debugging, who knows what. It's the "trying to be smarter than the |
32 |
> user" thing. The defaults of course would be to built the software in a |
33 |
> sane, secure way. Only users who know what they're doing would disable |
34 |
> that, and they'd have their reasons. |
35 |
|
36 |
Would you call someone who shoots himself into the foot "smart"? |
37 |
|
38 |
Recent Linux kernels support fcaps in the filesystems and "somebody" evil, who |
39 |
knows what he does may even set up fcaps on executable files when the related |
40 |
support-software is not installed, just because the unstable kernel interfaces |
41 |
are accessible from libc. |
42 |
|
43 |
Do you like people to be able to open security holes? |
44 |
|
45 |
Jörg |
46 |
|
47 |
-- |
48 |
EMail:joerg@××××××××××××××××××××××××.de (home) Jörg Schilling D-13353 Berlin |
49 |
js@××××××××××××.de (uni) |
50 |
joerg.schilling@××××××××××××××××.de (work) Blog: http://schily.blogspot.com/ |
51 |
URL: http://cdrecord.berlios.de/private/ ftp://ftp.berlios.de/pub/schily |