Daniel Pielmeier <bil...@gentoo.org> wrote:
> > I am concerned about a different scenario:
> >
> > Imagine, you compile cdrtools without libcap and later install the support
> > for
> > the OS. Now you decide to use "setcap" to make cdrecord work. Cdrecord will
> > really work this way, but you opened a security hole as this cdrecord now
> > is
> > not privileges aware and thus cannot even detect that it is running with
> > more
> > than basic privileges. Such a cdrecord installation will happyly write any
> > local file for any local user to CD.
> >
> > Jörg
> >
>
> If you add an option to make conditional linkage against libcap possible
> there are only two possible scenarios. cdrtools links against libcap and
> the capabilities are set or it doesn't link against libcap and cdrtools
> are installed suid root without capabilities.
>
> Everything is done in the ebuild and the user does not need to mess with
> setcap. It is controlled by the package manager and the linkage and
> capability setting are tied together at installation time.
>
> Just adding an option similar to the one for the ACLs would make my live
> a lot easier. Just enable it by default and make it possible to switch
> it off.
I am not shure whether there is a missunderstanding.
You could have an installation without libcap and without setcap/getcap where
cdrecord still has active file capabilities. Nobody could check why, but
cdrecord would be able to write any local file to CD on such a system.
The only problem I see is that you are able to remove important software on a
Linux installation while the kernel still supports the feature by default.
Jörg
--
EMail:jo...@schily.isdn.cs.tu-berlin.de (home) Jörg Schilling D-13353 Berlin
j...@cs.tu-berlin.de (uni)
joerg.schill...@fokus.fraunhofer.de (work) Blog:
http://schily.blogspot.com/
URL: http://cdrecord.berlios.de/private/ ftp://ftp.berlios.de/pub/schily
