suid cdrecord

Colleen Beamer colleen.beamer at gmail.com
Tue Jan 18 23:59:41 UTC 2005


On Tue, 18 Jan 2005 15:51:08 -0500 (EST),
fedora-list-request at redhat.com <fedora-list-request at redhat.com> wrote:
 
Juliano Ravasi Ferraz <ml at juliano.info> wrote:

> Nifty Hat Mitch wrote:
> > For the short term try running it with sudo and not setting it SUID.
> > Sudo gives you some control over who can run it.  SUID opens it wide.
> 
> Dunno... A well written suid application is much more secure than the
> same application with sudo. If I suid it, it means that anyone will be
> able to, for example: `sudo cdrecord dev=/dev/hdc -data
> /etc/ssh/ssh_host_key´ ... Oops... :-/
> 
> > It is possible (under properties for the icon) in many cases to add
> > sudo to the command for the point and click iconic folks out there.

You CANNOT run k3b as a normal user with cdrecord setuid root.

How do I know?  I had the same problem and posted to another list. 
The response that I got was that according to Linux Torvalds and Alan
Cox, running cdrecord with the suid bit set is a serious security
risk.  If you let k3b set permissions for you, it WILL set the suid
bit and you won't be able to run k3b as a normal user.

Set the permissions bits manually:

Here are mine:

-rwx--x--x  1 root burning 329612 Oct 18 09:56 cdrecord

cdrecord should be located in /usr/bin

do a 'chmod 711 cdrecord' in /usr/bin
Make sure that if you go into k3b setup, you uncheck the box beside
the executable, so it won't change permissions and ignore any messages
that the program gives you about permissions.

As you will notice, I've also set up a "burning" group and you can
tell k3b to use this group.

You might also want to change cdrdao if you need to.

Regards,

Colleen




More information about the users mailing list