headers
Mike Chambers | 5 Jul 17:57

cdrecord permission problems

I can't seem to use anything to burn a cd, thinking permission problems?
I don't know why it would be that, if it is the problem, as I didn't
change anything to do it. 

Anyway, when trying with k3b (I mainly just use nautilus and right click
on the file to write to disc), I got this debug message..

System
-----------------------
K3b Version: 1.0.5

KDE Version: 3.5.9-16.fc9 Fedora
QT Version:  3.3.8b
Kernel:      2.6.25.9-76.fc9.i686
Devices
-----------------------
ATAPI DVD A  DH16A1L KH1A (/dev/sr0, ) [CD-R, CD-RW, CD-ROM, DVD-ROM,
DVD-R, DVD-RW, DVD-R DL, DVD+R, DVD+RW, DVD+R DL] [DVD-ROM, DVD-R
Sequential, DVD-R Dual Layer Sequential, DVD-R Dual Layer Jump, DVD-RAM,
DVD-RW Restricted Overwrite, DVD-RW Sequential, DVD+RW, DVD+R, DVD+R
Dual Layer, CD-ROM, CD-R, CD-RW] [TAO, Restricted Overwrite, Layer Jump]

Used versions
-----------------------
cdrecord: 1.1.6

cdrecord
-----------------------
TOC Type: 1 = CD-ROM
/usr/bin/wodim: Operation not permitted. Warning: Cannot raise
(Continue reading)

Permalink | Reply |
headers
Patrick O'Callaghan | 5 Jul 19:01

Re: cdrecord permission problems

On Sat, 2008-07-05 at 11:01 -0500, Mike Chambers wrote:
> I can't seem to use anything to burn a cd, thinking permission problems?
> I don't know why it would be that, if it is the problem, as I didn't
> change anything to do it. 
> 
> Anyway, when trying with k3b (I mainly just use nautilus and right click
> on the file to write to disc), I got this debug message..
> 
> System
> -----------------------
> K3b Version: 1.0.5
> 
> KDE Version: 3.5.9-16.fc9 Fedora
> QT Version:  3.3.8b
> Kernel:      2.6.25.9-76.fc9.i686
> Devices
> -----------------------
> ATAPI DVD A  DH16A1L KH1A (/dev/sr0, ) [CD-R, CD-RW, CD-ROM, DVD-ROM,
> DVD-R, DVD-RW, DVD-R DL, DVD+R, DVD+RW, DVD+R DL] [DVD-ROM, DVD-R
> Sequential, DVD-R Dual Layer Sequential, DVD-R Dual Layer Jump, DVD-RAM,
> DVD-RW Restricted Overwrite, DVD-RW Sequential, DVD+RW, DVD+R, DVD+R
> Dual Layer, CD-ROM, CD-R, CD-RW] [TAO, Restricted Overwrite, Layer Jump]
> 
> Used versions
> -----------------------
> cdrecord: 1.1.6
> 
> cdrecord
> -----------------------
> TOC Type: 1 = CD-ROM
(Continue reading)

Permalink | Reply |
headers
Antonio Olivares | 5 Jul 19:15

Re: cdrecord permission problems

--- On Sat, 7/5/08, Mike Chambers <mike <at> miketc.com> wrote:

> From: Mike Chambers <mike <at> miketc.com>
> Subject: cdrecord permission problems
> To: "Fedora" <fedora-list <at> redhat.com>
> Date: Saturday, July 5, 2008, 9:01 AM
> I can't seem to use anything to burn a cd, thinking
> permission problems?
> I don't know why it would be that, if it is the
> problem, as I didn't
> change anything to do it. 
> 
> Anyway, when trying with k3b (I mainly just use nautilus
> and right click
> on the file to write to disc), I got this debug message..
> 
> System
> -----------------------
> K3b Version: 1.0.5
> 
> KDE Version: 3.5.9-16.fc9 Fedora
> QT Version:  3.3.8b
> Kernel:      2.6.25.9-76.fc9.i686
> Devices
> -----------------------
> ATAPI DVD A  DH16A1L KH1A (/dev/sr0, ) [CD-R, CD-RW,
> CD-ROM, DVD-ROM,
> DVD-R, DVD-RW, DVD-R DL, DVD+R, DVD+RW, DVD+R DL] [DVD-ROM,
> DVD-R
> Sequential, DVD-R Dual Layer Sequential, DVD-R Dual Layer
(Continue reading)

Permalink | Reply |
headers
Rex Dieter | 6 Jul 16:41

Re: cdrecord permission problems

Mike Chambers wrote:

> I can't seem to use anything to burn a cd, thinking permission problems?
> I don't know why it would be that, if it is the problem, as I didn't
> change anything to do it.

May be resolved with a recent udev-124-1.fc9.2 update

-- Rex

--

-- 
fedora-list mailing list
fedora-list <at> redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Permalink | Reply |
headers
Bill Davidsen | 7 Jul 02:32

Re: cdrecord permission problems

Mike Chambers wrote:
> I can't seem to use anything to burn a cd, thinking permission problems?
> I don't know why it would be that, if it is the problem, as I didn't
> change anything to do it. 
> 
> Anyway, when trying with k3b (I mainly just use nautilus and right click
> on the file to write to disc), I got this debug message..
> 
Note that cdrecord doesn't come with Fedora, there is a link by that 
name which leads to wodim. The usual drill is to change group on 
"cdrecord" to a new group, make the owner root, change perms to 4754, 
and it should work. I highly advise downloading the real cdrecord rather 
than using the "looks like" version.

I've said this here before...

-- 
Bill Davidsen <davidsen <at> tmr.com>
   "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot

--

-- 
fedora-list mailing list
fedora-list <at> redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Permalink | Reply |
headers
Alan Cox | 7 Jul 17:52

Re: cdrecord permission problems

> Note that cdrecord doesn't come with Fedora, there is a link by that 
> name which leads to wodim. The usual drill is to change group on 

wodim is the free software fork from cdrecord with other stuff added.

> "cdrecord" to a new group, make the owner root, change perms to 4754, 
> and it should work. I highly advise downloading the real cdrecord rather 
> than using the "looks like" version.

I would advise the reverse. For one wodim doesn't need to be setuid root
which is quite a dangerous thing to enable on a large binary (althoguh
cdrecord has a good security history)

Alan

--

-- 
fedora-list mailing list
fedora-list <at> redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Permalink | Reply |
headers
Bill Davidsen | 7 Jul 19:01

Re: cdrecord permission problems

Alan Cox wrote:
>> Note that cdrecord doesn't come with Fedora, there is a link by that 
>> name which leads to wodim. The usual drill is to change group on 
>>     
>
> wodim is the free software fork from cdrecord with other stuff added.
>
>   
>> "cdrecord" to a new group, make the owner root, change perms to 4754, 
>> and it should work. I highly advise downloading the real cdrecord rather 
>> than using the "looks like" version.
>>     
>
> I would advise the reverse. For one wodim doesn't need to be setuid root
> which is quite a dangerous thing to enable on a large binary (althoguh
> cdrecord has a good security history)
>   

The reason setuid is needed is to allow use of vendor commands, and the 
command filter in the kernel doesn't allow some as non-root. Certain 
people in the kernel community refuse to add these command, the author 
of cdrecord lacks any ability to work with other and ask nicely. Net 
result of this pissing contest is that "real" cdrecord will burn some 
combinations of media and hardware which wodim won't.

The right answer would be to have the kernel provide a way such as group 
id, so I could identify devices and programs I trust with each other. 
Hang the capability on a flag I could set, and the whole problem would 
go away. Needless to say that wouldn't satisfy any of the people involved.
(Continue reading)

Permalink | Reply |
headers
Alan Cox | 7 Jul 18:27

Re: cdrecord permission problems

> The reason setuid is needed is to allow use of vendor commands, and the 
> command filter in the kernel doesn't allow some as non-root. Certain 
> people in the kernel community refuse to add these command, the author 

Actually thats untrue. We've added commands where it is safe to do so and
we've also repeatedly said to people who wanted to customise the command
list "send patches". Nobody has.

> The right answer would be to have the kernel provide a way such as group 
> id, so I could identify devices and programs I trust with each other. 

That doesn't work. If you give a process access to a CD it can change the
firmware which means next reboot it controls the system. Thus the only
logical thing you can give it is pretty much "all powers"

Alan

--

-- 
fedora-list mailing list
fedora-list <at> redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Permalink | Reply |
headers
stan | 7 Jul 19:07

Re: cdrecord permission problems

Alan Cox wrote:
>> The reason setuid is needed is to allow use of vendor commands, and the 
>> command filter in the kernel doesn't allow some as non-root. Certain 
>> people in the kernel community refuse to add these command, the author 
>>     
>
> Actually thats untrue. We've added commands where it is safe to do so and
> we've also repeatedly said to people who wanted to customise the command
> list "send patches". Nobody has.
>
>   
>> The right answer would be to have the kernel provide a way such as group 
>> id, so I could identify devices and programs I trust with each other. 
>>     
>
> That doesn't work. If you give a process access to a CD it can change the
> firmware which means next reboot it controls the system. Thus the only
> logical thing you can give it is pretty much "all powers"
>
> Alan
>
>   
I recently read a paper about the role base security now in the kernel.  
Would your last
statement be true under that scenario?  That is, if a cd role was 
created as restricted as
it could be?  Would it be true if the role was combined with SELinux?

I'm just curious and you seem like you have the knowledge to answer this.
(Continue reading)

Permalink | Reply |
headers
Alan Cox | 7 Jul 20:17

Re: cdrecord permission problems

> I recently read a paper about the role base security now in the kernel.  
> Would your last statement be true under that scenario?  That is, if a cd role was 
> created as restricted as  it could be?  Would it be true if the role was combined
> with SELinux?

I'd still be able to patch the firmware to make the drive hand back a
fake bootable image which hacked the box before Linux ever ran (assuming
the CD drive was in the boot order)

The right answer is to have patches to let HAL update the command table
according to the drive identity. So far nobody has considered it
important enough to produce some (that I've seen anyway).

You might want to combine that with role based security or SELinux rules

Alan

--

-- 
fedora-list mailing list
fedora-list <at> redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Permalink | Reply |
headers
Bill Davidsen | 8 Jul 00:14

Re: cdrecord permission problems

Alan Cox wrote:
>> The reason setuid is needed is to allow use of vendor commands, and the 
>> command filter in the kernel doesn't allow some as non-root. Certain 
>> people in the kernel community refuse to add these command, the author 
> 
> Actually thats untrue. We've added commands where it is safe to do so and
> we've also repeatedly said to people who wanted to customise the command
> list "send patches". Nobody has.
> 
What patches? Below you reject the idea of specifying processes I trust 
to write individual devices, any patch to add commands to the allowed 
commands table in a running system could hardly be safer, and the table 
applies to all processes and CD devices, while I propose matching g+rw 
on the device with eGID of the process at open and setting some "trust" 
flag. That allows me to trust only a single device to a single process.

>> The right answer would be to have the kernel provide a way such as group 
>> id, so I could identify devices and programs I trust with each other. 
> 
> That doesn't work. If you give a process access to a CD it can change the
> firmware which means next reboot it controls the system. Thus the only
> logical thing you can give it is pretty much "all powers"

Anyone who puts anything ahead of the disk in the boot sequence is 
asking to leave a media in a drive at next boot. Stupidity, like virtue, 
is its own reward.

--

-- 
Bill Davidsen <davidsen <at> tmr.com>
   "We have more to fear from the bungling of the incompetent than from
(Continue reading)

Permalink | Reply |
headers
Alan Cox | 8 Jul 08:44

Re: cdrecord permission problems

> What patches? Below you reject the idea of specifying processes I trust 
> to write individual devices, any patch to add commands to the allowed 
> commands table in a running system could hardly be safer, and the table 
> applies to all processes and CD devices, while I propose matching g+rw 
> on the device with eGID of the process at open and setting some "trust" 
> flag. That allows me to trust only a single device to a single process.

It would be far safer. A configurable command filter stops people issuing
problem commands, a trust this program flag means you are exposed to all
sorts of potential bugs in the programs that you choose to trust.

In the command filter case there is no privilege escalation required. HAL
already runs at early boot and clean of user ability to fiddle so can set
up the tables itself.

> Anyone who puts anything ahead of the disk in the boot sequence is 
> asking to leave a media in a drive at next boot. Stupidity, like virtue, 
> is its own reward.

What a lovely way to treat users, most of whom will have CD first because
that is how the vendors ship their PC.

Alan

--

-- 
fedora-list mailing list
fedora-list <at> redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
(Continue reading)

Permalink | Reply |
headers
Antonio Olivares | 7 Jul 19:33

Re: cdrecord permission problems

--- On Mon, 7/7/08, Alan Cox <alan <at> lxorguk.ukuu.org.uk> wrote:

> From: Alan Cox <alan <at> lxorguk.ukuu.org.uk>
> Subject: Re: cdrecord permission problems
> To: fedora-list <at> redhat.com
> Cc: davidsen <at> tmr.com
> Date: Monday, July 7, 2008, 8:52 AM
> > Note that cdrecord doesn't come with Fedora, there
> is a link by that 
> > name which leads to wodim. The usual drill is to
> change group on 
> 
> wodim is the free software fork from cdrecord with other
> stuff added.
cdrtools is also free.  What makes wodim 'freer'

http://www.opensource.org/docs/osd

> 
> > "cdrecord" to a new group, make the owner
> root, change perms to 4754, 
> > and it should work. I highly advise downloading the
> real cdrecord rather 
> > than using the "looks like" version.
> 
> I would advise the reverse. For one wodim doesn't need
> to be setuid root
> which is quite a dangerous thing to enable on a large
> binary (althoguh
> cdrecord has a good security history)
(Continue reading)

Permalink | Reply |
headers
Alan Cox | 7 Jul 20:12

Re: cdrecord permission problems

On Mon, 7 Jul 2008 10:33:04 -0700 (PDT)
Antonio Olivares <olivares14031 <at> yahoo.com> wrote:

> --- On Mon, 7/7/08, Alan Cox <alan <at> lxorguk.ukuu.org.uk> wrote:
> 
> > From: Alan Cox <alan <at> lxorguk.ukuu.org.uk>
> > Subject: Re: cdrecord permission problems
> > To: fedora-list <at> redhat.com
> > Cc: davidsen <at> tmr.com
> > Date: Monday, July 7, 2008, 8:52 AM
> > > Note that cdrecord doesn't come with Fedora, there
> > is a link by that 
> > > name which leads to wodim. The usual drill is to
> > change group on 
> > 
> > wodim is the free software fork from cdrecord with other
> > stuff added.
> cdrtools is also free.  What makes wodim 'freer'
> 
> http://www.opensource.org/docs/osd

The DVD version of cdrecord was payware while the DVD support in wodim is
not.

Alan

--

-- 
fedora-list mailing list
fedora-list <at> redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
(Continue reading)

Permalink | Reply |
headers
Antonio Olivares | 7 Jul 20:58

Re: cdrecord permission problems

--- On Mon, 7/7/08, Alan Cox <alan <at> lxorguk.ukuu.org.uk> wrote:

> From: Alan Cox <alan <at> lxorguk.ukuu.org.uk>
> Subject: Re: cdrecord permission problems
> To: olivares14031 <at> yahoo.com, "For users of Fedora" <fedora-list <at> redhat.com>
> Cc: olivares14031 <at> yahoo.com
> Date: Monday, July 7, 2008, 11:12 AM
> On Mon, 7 Jul 2008 10:33:04 -0700 (PDT)
> Antonio Olivares <olivares14031 <at> yahoo.com> wrote:
> 
> > --- On Mon, 7/7/08, Alan Cox
> <alan <at> lxorguk.ukuu.org.uk> wrote:
> > 
> > > From: Alan Cox <alan <at> lxorguk.ukuu.org.uk>
> > > Subject: Re: cdrecord permission problems
> > > To: fedora-list <at> redhat.com
> > > Cc: davidsen <at> tmr.com
> > > Date: Monday, July 7, 2008, 8:52 AM
> > > > Note that cdrecord doesn't come with
> Fedora, there
> > > is a link by that 
> > > > name which leads to wodim. The usual drill
> is to
> > > change group on 
> > > 
> > > wodim is the free software fork from cdrecord
> with other
> > > stuff added.
> > cdrtools is also free.  What makes wodim
> 'freer'
(Continue reading)

Permalink | Reply |
headers
Bill Davidsen | 8 Jul 05:22

Re: cdrecord permission problems

Alan Cox wrote:
> On Mon, 7 Jul 2008 10:33:04 -0700 (PDT)
> Antonio Olivares <olivares14031 <at> yahoo.com> wrote:
> 
>> --- On Mon, 7/7/08, Alan Cox <alan <at> lxorguk.ukuu.org.uk> wrote:
>>
>>> From: Alan Cox <alan <at> lxorguk.ukuu.org.uk>
>>> Subject: Re: cdrecord permission problems
>>> To: fedora-list <at> redhat.com
>>> Cc: davidsen <at> tmr.com
>>> Date: Monday, July 7, 2008, 8:52 AM
>>>> Note that cdrecord doesn't come with Fedora, there
>>> is a link by that 
>>>> name which leads to wodim. The usual drill is to
>>> change group on 
>>>
>>> wodim is the free software fork from cdrecord with other
>>> stuff added.
>> cdrtools is also free.  What makes wodim 'freer'
>>
>> http://www.opensource.org/docs/osd
> 
> The DVD version of cdrecord was payware while the DVD support in wodim is
> not.
> 
I'm not sure wodim even existed in those days. Certainly the DVD stuff 
has been in the open source release for a long time, since Joerg lacks 
the people skills to even let people give him money. I suggested he just 
get a Paypal account and ask for donations, he wanted payment by 
International Money Order payable in Euros.
(Continue reading)

Permalink | Reply |

Gmane