Daniel Pielmeier <bil...@gentoo.org> wrote: > > I am concerned about a different scenario: > > > > Imagine, you compile cdrtools without libcap and later install the support > > for > > the OS. Now you decide to use "setcap" to make cdrecord work. Cdrecord will > > really work this way, but you opened a security hole as this cdrecord now > > is > > not privileges aware and thus cannot even detect that it is running with > > more > > than basic privileges. Such a cdrecord installation will happyly write any > > local file for any local user to CD. > > > > Jörg > > > > If you add an option to make conditional linkage against libcap possible > there are only two possible scenarios. cdrtools links against libcap and > the capabilities are set or it doesn't link against libcap and cdrtools > are installed suid root without capabilities. > > Everything is done in the ebuild and the user does not need to mess with > setcap. It is controlled by the package manager and the linkage and > capability setting are tied together at installation time. > > Just adding an option similar to the one for the ACLs would make my live > a lot easier. Just enable it by default and make it possible to switch > it off.
I am not shure whether there is a missunderstanding. You could have an installation without libcap and without setcap/getcap where cdrecord still has active file capabilities. Nobody could check why, but cdrecord would be able to write any local file to CD on such a system. The only problem I see is that you are able to remove important software on a Linux installation while the kernel still supports the feature by default. Jörg -- EMail:jo...@schily.isdn.cs.tu-berlin.de (home) Jörg Schilling D-13353 Berlin j...@cs.tu-berlin.de (uni) joerg.schill...@fokus.fraunhofer.de (work) Blog: http://schily.blogspot.com/ URL: http://cdrecord.berlios.de/private/ ftp://ftp.berlios.de/pub/schily