Re: PATCH: cdrecord: avoiding scsi device numbering for ide devices

[Bartlomiej Zolnierkiewicz]

On Thursday 19 August 2004 16:32, Alan Cox wrote:
> On Iau, 2004-08-19 at 15:32, Frank Steiner wrote:
> > What a stupid claim. When I call cdrecord on SuSE 9.1, I can burn CDs and
> > DVDs as normal user, without root permissions, without suid, without
> > ide-scsi, using /dev/hdc as device.
> >
> > And this just works fine. So where's the problem?
>
> You can also erase the drive firmware as a user etc. That's the problem.
> When you fix that cdrecord gets broken by the security fix if you are
> using the SG_IO interface. Patches are kicking around to try and sort
> things out so cd burning is safe as non-root. cdrecord works as root.
>
> As a security fix it was sufficiently important that it had to be done.

IMO work-rounding this in kernel is a bad idea and could break a lot of 
existing apps (some you even don't know about).  Much better way to deal with 
this is to create library for handling I/O commands submission and gradually 
teach user-space apps to use it.

Bartlomiej
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/