On 5 Apr 2001, Thierry Vignaud wrote:
> > That is, why is mkisofs not executable by anyone?
> it's executable by everyone in cdwriter group. Whether normal users
> are in this group vary with security level.
> > What harm can possibly be done by running mkisofs?
> see later
> > And also, what is it set gid for?
> to enable some users and not some others to use it by specifying who
> is in this group.
> and to let these users having access to the required devices (/dev/sg*,
> /dev/scd*, /dev/pg*, and /dev/pcd* [the /dev/p* devices are for parallel
> writers])..
But the point is that you don't need access to the devices when you build
the ISO image, only when you actually burn the CD.
mkisofs should be:
-rwxr-xr-x root root /usr/bin/mkisofs
i.e. not set-gid or set-uid, just a normal binary.
> As for cdrecord, it MUST be SUID root because it locks itself in
> memory which can only be done with root rights (see "man
> cdrecord").
> cdda2wav has some real time features and to support them it is SUID
> root, too.
> So we make all these utilities be root.cdwriter owned and use goup
> membership to offer security.
But mkisofs doesn't require any privileges to run (unlike cdrecord,
cdda2wav etc.), so it should be just a normal binary.
Michael
