cdrecord permission problems
stan
goedigi89__e at cox.net
Mon Jul 7 17:07:50 UTC 2008
Alan Cox wrote:
>> The reason setuid is needed is to allow use of vendor commands, and the
>> command filter in the kernel doesn't allow some as non-root. Certain
>> people in the kernel community refuse to add these command, the author
>>
>
> Actually thats untrue. We've added commands where it is safe to do so and
> we've also repeatedly said to people who wanted to customise the command
> list "send patches". Nobody has.
>
>
>> The right answer would be to have the kernel provide a way such as group
>> id, so I could identify devices and programs I trust with each other.
>>
>
> That doesn't work. If you give a process access to a CD it can change the
> firmware which means next reboot it controls the system. Thus the only
> logical thing you can give it is pretty much "all powers"
>
> Alan
>
>
I recently read a paper about the role base security now in the kernel.
Would your last
statement be true under that scenario? That is, if a cd role was
created as restricted as
it could be? Would it be true if the role was combined with SELinux?
I'm just curious and you seem like you have the knowledge to answer this.
More information about the fedora-list
mailing list