Edward Pilatowicz <[EMAIL PROTECTED]> wrote:

> hey mark,
> this is a long standing (4 year old) bug:
>       4964815 Unable to burn CD's inside a non-global zone
> i just did some quick testing and i think the crux of the problem is
> that to burn cds, both cdrw and cdrecord need to issue uscsi commands,
> which currently requires the sys_devices privilege.  but this privilege
> can not be added to zones for security reasons.  (the framework will
> prevent you from adding this via zonecfg, you could hack around this by
> editing the zone config.xml file, but i wouldn't recommend doing this.)
> what needs to happen to really support this functionality is that the
> uscsi command space needs to be broken up into safe operations that can
> be granted to zones via a new privilege.  currently, we don't have
> staffing to work on this (although this issue has been discussed in our
> long term zones storage road map).

This kind of discussion will bring us into the same problems that are already 
present on Linux after Linus Torvalds created a list of good and bad SCSI
commands instead of fixing the underlying bug (that allowed anyone with
even a read-only filedescritor to send any SCSI command) :-(

While dumb programs like cdrw may (even this is not sure) be happy with 
a limited set of permitted SCSI commands, cdrecord supports many vendor 
specific features. As you need to know both vendor and the SCSI opcode 
in order to understand what an SCSI command may do, you will either end up
in castrated functionality of cdrecord or you need to allow all SCSI commands.


 EMail:[EMAIL PROTECTED] (home) Jörg Schilling D-13353 Berlin
       [EMAIL PROTECTED]                (uni)  
       [EMAIL PROTECTED]     (work) Blog: http://schily.blogspot.com/
 URL:  http://cdrecord.berlios.de/private/ ftp://ftp.berlios.de/pub/schily
zones-discuss mailing list

Reply via email to