https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c28
--- Comment #28 from Marcus Meissner 2012-11-26 16:55:40 UTC ---
Let me go over the Solaris privileges first, write down why they are needed and
if there are Linux equivalents.
* PRIV_NET_PRIVADDR: This privilege seems to allow binding of TCP/IP sockets to
ports below 1024.
I think it is used for the remote scsi support implemented in librscg, which
binds to the "shell" service port.
The Linux kernel capability for this is CAP_NET_BIND_SERVICE.
* PRIV_FILE_DAC_READ: This privilege overrides the regular access control to be
able to read all files. (DAC == district access control)
I think it is used purely to open the device node in cdrecord.c, as the
privilege is dropped right afterwards.
In Linux, the /dev/sgX devices are managed by udev and get handed and removed
ACLs for the desktop / active console users. Opening the sg part of CD style
devices is generally allowed.
* PRIV_PROC_LOCK_MEMORY: Used to set setrlimit(RLIMIT_MEMLOCK) to INFINITY to
later be able to do mlockall(), which would otherwise not possible.
Reason is to not swap out cdrecord and the to-burned data on memory pressure.
The Linux kernel capability for this is CAP_IPC_LOCK.
* PRIV_PROC_PRIOCNTL: To gain realtime priority via raisepri(0);
This is most likely to avoid getting cdrecord scheduled away while writing.
I do not know why cdda2wav needs it, as the tool is not time critical.
The Linux kernel capability for this is CAP_SYS_NICE.
* PRIV_SYS_DEVICES: This is not fully clear what this privilege offers.
I find via google:
Allow a process to create device special files. Allow a process to
successfully call a kernel module that calls the kernel drv_priv(9F) function
to check for allowed access. Allow a process to open the real console device
directly. Allow a process to open devices that have been exclusively opened.
Nothing of this seems relevant to cdrecord.
Also used (not sure which privilege maps to this on Solaris):
AIO in /dev/sg for FIFO style buffering.
libscg does:
- try AIO via the SG_IO ioctl.
- if this fails, like with missing permissions, it will go back to the old
method as fallback by doing read/write method of commands to /dev/sgX
Currently AIO in /dev/sg requires the Linux capability CAP_SYS_RAWIO.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.