Re: PATCH: cdrecord: avoiding scsi device numbering for ide devices

[Horst von Brand]

Bartlomiej Zolnierkiewicz <B.Zolnierkiewicz@xxxxxxxxxxxxxx> said:
> On Thursday 19 August 2004 16:32, Alan Cox wrote:
> > On Iau, 2004-08-19 at 15:32, Frank Steiner wrote:
> > > What a stupid claim. When I call cdrecord on SuSE 9.1, I can burn CDs and
> > > DVDs as normal user, without root permissions, without suid, without
> > > ide-scsi, using /dev/hdc as device.
> > >
> > > And this just works fine. So where's the problem?
> >
> > You can also erase the drive firmware as a user etc. That's the problem.
> > When you fix that cdrecord gets broken by the security fix if you are
> > using the SG_IO interface. Patches are kicking around to try and sort
> > things out so cd burning is safe as non-root. cdrecord works as root.
> >
> > As a security fix it was sufficiently important that it had to be done.

> IMO work-rounding this in kernel is a bad idea and could break a lot of
> existing apps (some you even don't know about).  Much better way to deal
> with this is to create library for handling I/O commands submission and
> gradually teach user-space apps to use it.

Sorry to disagree, but no way. If security is involved, depending on people
do do "the right thing" because they are nice (and update their code, and
follow "good practice", and ...) is suicide. Better be safe, and swallow
the flames caused by unfixed apps while it lasts.
-- 
Dr. Horst H. von Brand                   User #22616 counter.li.org
Departamento de Informatica                     Fono: +56 32 654431
Universidad Tecnica Federico Santa Maria              +56 32 654239
Casilla 110-V, Valparaiso, Chile                Fax:  +56 32 797513 
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/