I'm trying to not make a confused email, and I'm not sure I'll succeed... My question is about grsecurity-hardened, but see below the emails that I reference to some extent.
Has anyone deployed RBAC policy/-ies in their /etc/grse/policy that make for using cdrecord and other binaries of cdrtools as normal user. I remember having tried, but not having had much time to investigate and learn what was required to get it done, I had to go with running cdrecord as root user, which certainly is not a good thing... I didn't have such problems with growisofs. Just to make sure I didn't miss something, in the other email: On 170315-09:28+0100, Raffaele Belardi wrote: > [email protected] wrote: > > > > is it possible to run xcdroast without root ( i.e. user root or suid > > )? > > > > The first time you need to run it as root to enable non-root mode, it > sets suid on some files (or asks you to, I don't remember), afterwards > you can run as regular user. So the answer to your question is yes and > no. That, I guess regards only xcdroast, not cdrtools which it uses, right? I'm not certain about it, because, as I said above, I did end up running cdrecord as root, becaue I couldn't get the permissions right... And of course this is likely the most relevant: On 170315-10:43+0100, Joerg Schilling wrote: > <[email protected]> wrote: > > > is it possible to run xcdroast without root ( i.e. user root or suid > > )? > > Unfortunately xcdroast did miss that Linux finally implemented working > support > for fine grained privileges 4 years ago. > > In theory, you should be able to convert the suid wrapper it installs into a > no-op > wrapper to make it happy and use cdrtools-binaries that are installed via > "setcap". > > Jörg > > -- > EMail:[email protected] (home) Jörg Schilling D-13353 > Berlin > [email protected] (work) Blog: > http://schily.blogspot.com/ > URL: http://cdrecord.org/private/ http://sf.net/projects/schilytools/files/' > But that too appears to be about xcdroast... ( I know I could also ask about the following on gentoo-hardened ML, and I probably will, but I'd like to use the opportunity now that this thread is here and Joerg is reading. ) I'm actually looking for a shortcut solution, because I'm not left with much time to tinker and try to get it done: IOW, has anyone of the grsecurity-hardened users got the cdrecord and friends ( probably some of these, output of equery f cdrtools /usr/bin/btcflash /usr/bin/cdda2mp3 /usr/bin/cdda2ogg /usr/bin/cdda2wav /usr/bin/cdrecord /usr/bin/devdump /usr/bin/isodebug /usr/bin/isodump /usr/bin/isoinfo /usr/bin/isovfy /usr/bin/mkhybrid -> mkisofs /usr/bin/mkisofs /usr/bin/readcd /usr/bin/scgcheck /usr/bin/scgskeleton ) RBAC policies right to get normal user run them? Joerg, I used cdrecord a lot, and of course I never liked the site of the stolen cdrecord versions that some Debian folks made. I remember I was using SuSE (which back then was maintained so greatly by mostly German developers, it's sad what became of SuSE...). Also, in the discussion on scsi, you were right, not the opposite side. But I didn't participate much. I'm not an expert now, and I wasn't even an advanced user back then. Sincere ragards! -- Miroslav Rovis Zagreb, Croatia https://www.CroatiaFidelis.hr
signature.asc
Description: Digital signature
