[Bug 550021] New: AUDIT-0: cdrecord of Schilys cdrtools
http://bugzilla.novell.com/show_bug.cgi?id=550021 Summary: AUDIT-0: cdrecord of Schilys cdrtools Classification: openSUSE Product: openSUSE 11.3 Version: unspecified Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: security-team@suse.de ReportedBy: meissner@novell.com QAContact: qa@suse.de CC: jw@novell.com, hnch@gmx.net Found By: Security Response Team Joerg Schilys cdrtools want setuid root on /usr/bin/cdrecord. Question of being necessary is another issue, but we should do a technical review. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=550021
User meissner@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=550021#c1
--- Comment #1 from Marcus Meissner
http://bugzilla.novell.com/show_bug.cgi?id=550021
User krahmer@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=550021#c2
Sebastian Krahmer
http://bugzilla.novell.com/show_bug.cgi?id=550021
Juergen Weigert
http://bugzilla.novell.com/show_bug.cgi?id=550021
--- Comment #3 from Sebastian Krahmer
http://bugzilla.novell.com/show_bug.cgi?id=550021
http://bugzilla.novell.com/show_bug.cgi?id=550021#c4
--- Comment #4 from Henning Paul
http://bugzilla.novell.com/show_bug.cgi?id=550021
http://bugzilla.novell.com/show_bug.cgi?id=550021#c5
Jörg Schiling
http://bugzilla.novell.com/show_bug.cgi?id=550021
http://bugzilla.novell.com/show_bug.cgi?id=550021#c6
Marcus Meissner
http://bugzilla.novell.com/show_bug.cgi?id=550021
http://bugzilla.novell.com/show_bug.cgi?id=550021#c7
Ludwig Nussel
http://bugzilla.novell.com/show_bug.cgi?id=550021
http://bugzilla.novell.com/show_bug.cgi?id=550021#c8
Marcus Meissner
http://bugzilla.novell.com/show_bug.cgi?id=550021
http://bugzilla.novell.com/show_bug.cgi?id=550021#c9
Andreas Jaeger
http://bugzilla.novell.com/show_bug.cgi?id=550021
http://bugzilla.novell.com/show_bug.cgi?id=550021#c10
--- Comment #10 from Juergen Weigert
The Linux kernel maintainers are unwilling to provide an orthogonal way of sending SCSI commands to any type of device that "speaks" SCSI in a single address space. [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=310689#42]
I understand that the suid root is needed only as a workaround, so that cdrecord can do things, that should be done within the kernel. I don't remember the details, but I am certain Joerg explained them to me already. Sorry. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=550021
http://bugzilla.novell.com/show_bug.cgi?id=550021#c11
--- Comment #11 from Jörg Schiling
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c12
--- Comment #12 from Jörg Schiling
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c13
--- Comment #13 from Jean-Daniel Dodin
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c14
--- Comment #14 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c15
--- Comment #15 from Jörg Schiling
we lost sight of it.
SG_SCSI_RESET seems to be the only command requiring root privileges that is called from libscg/scsi-linux-sg.c.
we could perhaps talk with the upstream developers to get that allowed or at least find the reasoining why they block it.
This is wrong. There are a lot more things that need root privileges. I did already explain why cdrtools need root privileges (because Suse currently does not seem to offer a different way of gaining the needed privileges). As there was no reply with something like "we will include the needed features next week", there seems to be no other way than to make the related programs suid root. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c18
Juergen Weigert
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c19
--- Comment #19 from Jörg Schiling
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c21
--- Comment #21 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c22
--- Comment #22 from Jörg Schiling
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c23
Thomas Biege
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c24
Juergen Weigert
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c25
--- Comment #25 from Jörg Schiling
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c26
--- Comment #26 from Juergen Weigert
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c27
--- Comment #27 from Jörg Schiling
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c28
--- Comment #28 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c29
--- Comment #29 from Jörg Schiling
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c
Jiaying ren
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c31
--- Comment #31 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c32
--- Comment #32 from Jörg Schiling
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c
Dirk Mueller
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c33
--- Comment #33 from Jörg Schiling
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c34
--- Comment #34 from Jörg Schiling
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c35
--- Comment #35 from Jan Engelhardt
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c36
Thomas Biege
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c37
--- Comment #37 from Jörg Schiling
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c38
--- Comment #38 from Jörg Schiling
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c39
--- Comment #39 from Juergen Weigert
BTW: the current state is "resolved" which would imply that cdrecord is shipped with suid root on Suse already... What is the real state?
Negative. To me the implication of Thomas saying 'No setuid bit for cdrecord.' is that it is shipped without suid root. And yes, there is a specfile in our cdrtools package. Are you aware of the packaging efforts at https://build.opensuse.org/package/show?package=cdrtools&project=multimedia:apps ? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c40
Jörg Schiling
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c41
--- Comment #41 from Jan Engelhardt
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c42
Jan Engelhardt
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c43
--- Comment #43 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c44
--- Comment #44 from Jörg Schiling
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c45
--- Comment #45 from Jörg Schiling
fscaps doesn't change anything. Just go ahead and submit the package without those /etc/permissions.d files and it will be off the radar.
I am not sure what you like to tell us here. It sounds like: distribute the "su" command without the needed privileges and we will be happy. Is this what you like to tell us? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c46
--- Comment #46 from Jörg Schiling
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c47
--- Comment #47 from Jörg Schiling
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c48
Michal Hrusecky
Let me give a short feedback now:
1) SuSE deliveres defective system include files that prevent to compile software (like star) that supports linux (ext* specific) file flags:
checking for sched_yield... yes checking for nanosleep... yes checking for /dev/tty... yes checking for /dev/null... yes checking for /dev/zero... yes checking for /dev/stdin... yes checking for /dev/stdout... yes checking for /dev/stderr... yes checking for /dev/fd/0... yes checking for /dev/fd/1... yes checking for /dev/fd/2... yes checking if Linux include file linux/ext2_fs.h is broken... yes checking if Linux include file /usr/src/linux/include/linux/ext2_fs.h is broken... yes checking if Linux include file scsi/scsi.h is broken... no checking if Linux include file /usr/src/linux/include/scsi/scsi.h is broken... no checking if Linux include file scsi/sg.h is broken... no checking if Linux include file /usr/src/linux/include/scsi/sg.h is broken... no
Warning: *** /usr/src/linux/include contains broken include files *** Warning: *** /usr/src/linux/include is not used this reason *** Warning: This may result in the inability to use recent Linux kernel interfaces
Warning: *** linux/ext2_fs.h is not usable at all *** Warning: *** This makes it impossible to support Linux file flags ***
No URL to the software (try googling star ;-) ), nothing indicates what is broken about that. If you want some help, providing some basic info can help ;-)
2) the sample program from the attachment does not compile. This is another result from the defects in /usr/include. In spacial: /usr/include/sys/capabilities.h does not exist.
$ rpm -ql libcap-devel | grep include /usr/include/sys/capability.h
3) There is no support for capabilities in Suse by default. Isn't it a pity that a system that installs a 6.4 GB sized system does not include 44kBytes of security related software that is needed to avoid suid root binaries?
I got setcap and getcap without installing them explicitly so either they are part of minimal X or quite basic stuff depends on it...
4) I experimented with the following set:
/sbin/getcap cdrecord cdrord = cap_dac_override,cap_net_bind_service,cap_ipc_lock,cap_sys_admin,cap_sys_nice,cap_sys_resource+ep
Comments?
Just a few comments to help you provide more information for people that are working on it - general bugzilla recommendation, I'm just a curious bystander. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c49
--- Comment #49 from Jan Engelhardt
You could help a lot if you did find the related equivalent privileges for the following privs from OpenSolaris:
PRIV_FILE_DAC_READ any local "file" can be read (needed to open /dev/sg or similar) PRIV_FILE_DAC_WRITE any local "file" can be written (needed to open /dev/sg or similar)
CAP_DAC_OVERRIDE.
PRIV_SYS_DEVICES allow special device specific calls that use additional privileges. Needed to be able to send _any_ SCSI command to any device. This is needed in addition to be able to open(2) device nodes.
CAP_SYS_RAWIO.
PRIV_PROC_LOCK_MEMORY allow to lock any current and future (to be allocated) memory in core. On Linux this may need additional privs related to setrlimit(2).
CAP_IPC_LOCK for mlock; CAP_SYS_RESOURCE for setrlimit.
PRIV_PROC_PRIOCNTL allow to enhance process scheduling priority to any value
CAP_SYS_NICE
PRIV_NET_PRIVADDR allow to bind to sockets with a port number < 1024.
CAP_NET_BIND_SERVICE. This one you will have noticed from my attached sample program.
Solaris distincts between "effective", "permitted" and "inheritable" privs. Is this also true for Linux?
It is.
Is the fcaps feature valid for all filesystem types and is it always part of the most limited install variant?
For all filesystems that can store xattrs. But it will be most relevant for the filesystem that the cdrecord and companion programs will reside on, which is usually some Linuxish filesystem (ext4,xfs,etc.) capable of holding xattrs. fscaps is always present with SUSE. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c50
--- Comment #50 from Jan Engelhardt
Warning: *** linux/ext2_fs.h is not usable at all *** Warning: *** This makes it impossible to support Linux file flags ***
The file does not exist. What were you hoping to find in it? Linux kernel commit 36695673b012096228ebdc1b39a6a5850daa474e promoted the extfs-specific flags to become general filesystem flags, from a programming point of view. For example, EXT2_IMMUTABLE_FL is now FS_IMMUTABLE_FL. See linux/fs.h.
2) the sample program from the attachment does not compile. This is another result from the defects in /usr/include. In spacial: /usr/include/sys/capabilities.h does not exist.
Needs -lcap / libcap.so, available from libcap-devel.
3) There is no support for capabilities in Suse by default.
Capability support is there. It just that it is not *used* in SUSE at this time like it is in Fedora.
4) I experimented with the following set:
/sbin/getcap cdrecord cdrord = cap_dac_override,cap_net_bind_service,cap_ipc_lock,cap_sys_admin,cap_sys_nice,cap_sys_resource+ep
Did it work, at least a bit? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c51
--- Comment #51 from Jan Engelhardt
Did it work, at least a bit?
Well it does for me, for a limited test: 13:19 nakamura:~ > cdrecord -scanbus Cdrecord-ProDVD-ProBD-Clone 3.01a07 (x86_64-unknown-linux-gnu) Copyright (C) 1995-2012 Joerg Schilling cdrecord: Ikke tilgang. Cannot open '/dev/sg0'. Cannot open or use SCSI driver. cdrecord: For possible targets try 'cdrecord -scanbus'. Make sure you are root. cdrecord: For possible transport specifiers try 'cdrecord dev=help'. 13:17 nakamura:/opt/schily/bin # getcap cdrecord cdrecord = cap_dac_override,cap_net_bind_service,cap_ipc_lock,cap_sys_admin,cap_sys_nice,cap_sys_resource+ep 13:17 nakamura:/opt/schily/bin # logout 13:19 nakamura:~ > cdrecord -scanbus Cdrecord-ProDVD-ProBD-Clone 3.01a07 (x86_64-unknown-linux-gnu) Copyright (C) 1995-2012 Joerg Schilling Linux sg driver version: 3.5.34 Using libscg version 'schily-0.9'. scsibus0: 0,0,0 0) 'ATA ' 'Hitachi HTS54101' 'JA0O' Disk 0,1,0 1) * 0,2,0 2) * 0,3,0 3) * 0,4,0 4) * 0,5,0 5) * 0,6,0 6) * 0,7,0 7) * scsibus2: 2,0,0 200) 'CDEmu ' 'Virt. CD/DVD-RO' '1.1' Removable CD-ROM 2,1,0 201) 'CDEmu ' 'Virt. CD/DVD-RO' '1.1' Removable CD-ROM 2,2,0 202) 'CDEmu ' 'Virt. CD/DVD-RO' '1.1' Removable CD-ROM 2,3,0 203) 'CDEmu ' 'Virt. CD/DVD-RO' '1.1' Removable CD-ROM 2,4,0 204) 'CDEmu ' 'Virt. CD/DVD-RO' '1.1' Removable CD-ROM 2,5,0 205) 'CDEmu ' 'Virt. CD/DVD-RO' '1.1' Removable CD-ROM 2,6,0 206) 'CDEmu ' 'Virt. CD/DVD-RO' '1.1' Removable CD-ROM 2,7,0 207) 'CDEmu ' 'Virt. CD/DVD-RO' '1.1' Removable CD-ROM 2,8,0 208) 'CDEmu ' 'Virt. CD/DVD-RO' '1.1' Removable CD-ROM 2,9,0 209) 'CDEmu ' 'Virt. CD/DVD-RO' '1.1' Removable CD-ROM 2,10,0 210) 'CDEmu ' 'Virt. CD/DVD-RO' '1.1' Removable CD-ROM 2,11,0 211) 'CDEmu ' 'Virt. CD/DVD-RO' '1.1' Removable CD-ROM 2,12,0 212) 'CDEmu ' 'Virt. CD/DVD-RO' '1.1' Removable CD-ROM 2,13,0 213) 'CDEmu ' 'Virt. CD/DVD-RO' '1.1' Removable CD-ROM 2,14,0 214) 'CDEmu ' 'Virt. CD/DVD-RO' '1.1' Removable CD-ROM 2,15,0 215) 'CDEmu ' 'Virt. CD/DVD-RO' '1.1' Removable CD-ROM -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c52
--- Comment #52 from Jörg Schiling
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c53
--- Comment #53 from Jörg Schiling
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c54
--- Comment #54 from Jörg Schiling
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c55
Jan Engelhardt
The comment in linux/capability.h lead to CAP_SYS_ADMIN as a prerequisite for being able to send any SCSI command. Do I need CAP_SYS_RAWIO in addition?
I have skimmed the source code (linux-kernel/drivers/scsi/sg.c), and it would seem that CAP_SYS_RAWIO is sufficient in many spots where it is used: 13:43 ares07:../drivers/scsi > grep SYS_RAWIO *.c hpsa.c: if (!capable(CAP_SYS_RAWIO)) hpsa.c: if (!capable(CAP_SYS_RAWIO)) scsi_debug.c: if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SYS_RAWIO)) scsi_ioctl.c: if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SYS_RAWIO)) scsi_ioctl.c: if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SYS_RAWIO)) sg.c: if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SYS_RAWIO)) sg.c: if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SYS_RAWIO)) sg.c: if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SYS_RAWIO)) sg.c: if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SYS_RAWIO)) st.c: !capable(CAP_SYS_RAWIO)) Of course, one could also grep for SYS_ADMIN and get some locations where RAWIO is not tested for - but such invocations lie outside sg.c and usually involve things like sysfs/sysctl tunables, so should not be too relevant. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c56
--- Comment #56 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c57
--- Comment #57 from Jörg Schiling
All your tools will work just fine without any setuid root bits or capabilities.
You are of course wrong again. This has been discussed ad nauseum. I do not like to repeat the explanations again, please read one of the previous explanations. As long as you miss the needed knowledge, your comments are not helpful. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c58
--- Comment #58 from Jan Engelhardt
If there was another incompatible interface change in the linux kernel, I was assuming that the related developers at least inform the users of the code.
Ok, this does not seem to have happened. But I wager to say that ext2 attrs is not something that has been used very much, even within extfs. What does cdrtools use the flags for? grep -r '_FL\b' or grep -r '\bEXT2_' in the cdrtools-3.01a12 source does not yield any result. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c59
--- Comment #59 from Jörg Schiling
(In reply to comment #54)
The comment in linux/capability.h lead to CAP_SYS_ADMIN as a prerequisite for being able to send any SCSI command. Do I need CAP_SYS_RAWIO in addition?
I have skimmed the source code (linux-kernel/drivers/scsi/sg.c), and it would seem that CAP_SYS_RAWIO is sufficient in many spots where it is used:
13:43 ares07:../drivers/scsi > grep SYS_RAWIO *.c hpsa.c: if (!capable(CAP_SYS_RAWIO)) hpsa.c: if (!capable(CAP_SYS_RAWIO)) scsi_debug.c: if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SYS_RAWIO)) scsi_ioctl.c: if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SYS_RAWIO)) scsi_ioctl.c: if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SYS_RAWIO))
.... Did you also check layered transports like *ATA and USB? There is ATAPI and USB mass storage encapsulation, that may apply filters. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c60
--- Comment #60 from Jörg Schiling
(In reply to comment #53)
Ok, this does not seem to have happened. But I wager to say that ext2 attrs is not something that has been used very much, even within extfs.
What does cdrtools use the flags for? grep -r '_FL\b' or grep -r '\bEXT2_' in the cdrtools-3.01a12 source does not yield any result.
Well, if I start compiling on a new or otherwise empty platform, I always start to compile ftp://ftp.berlios.de/pub/schily as this e.g also contains a smake bootstrap. Also the Schily Makefilesystem is project independent, so it contains autoconf tests for anything you may need. The file flags are in use by star that is able to archive and restore them. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c61
--- Comment #61 from Jan Engelhardt
/dev/sg* is writeable and so usable by the regular desktop user due to ACLs being handed to it via udev.
But the ACL only gets you so and so far. The kernel code is pretty clear on requiring capabilities for certain code paths, most likely those that go beyond accessing circular optochemical plastic discs via MMC commands.
As wodim and other cd accessing tools live happily without any setuid bits or capabilities, you will have to convince us why you need them first.
Because cdrtools is not just about CDs. Tapes come to mind, but, let me not get into that, because I don't have that tech. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c62
--- Comment #62 from Jan Engelhardt
The file flags are in use by star that is able to archive and restore them.
As the flag name change is now in the past, you will have to bite the bullet. To the best of my judgment, the Linux header files do not have any stability guarantees; the only guarantee is that the system calls continue to work if you have a compiled program. Then, to keep programs compiling in both old and new environments, programs like iptables — and even e2fsprogs — choose to ship a copy of the header file(s) that they use. Maybe you want to do the same for ext2_fs.h for star/smake. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c63
--- Comment #63 from Jörg Schiling
(In reply to comment #56)
As wodim and other cd accessing tools live happily without any setuid bits or capabilities, you will have to convince us why you need them first.
Because cdrtools is not just about CDs. Tapes come to mind, but, let me not get into that, because I don't have that tech.
wodim is the result of a hostile and dumb downstream. Eduard Bloch has no clue on SCSI or cdrecord and removed the error messages and warnings that would inform users about problems that result from missing privileges. In addition, as cdrecord adopts itself on the capabilities of the target device, not all problems that result from missing privileges will result in a message - even on original software. I propose, that the decision on what to do should be done by experts that understand the topic. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c64
--- Comment #64 from Jan Engelhardt
(In reply to comment #55)
Did you also check layered transports like *ATA and USB? There is ATAPI and USB mass storage encapsulation, that may apply filters.
I have not checked yet; I would assume that, since permission checks make most sense at the user boundary (i.e. in the ioctl function) that there are no extra restrictions during encapsulation. Can you name a vendor-specific ioctl you are issuing, and where it occurs in cdrtools? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c65
--- Comment #65 from Jörg Schiling
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c66
--- Comment #66 from Jörg Schiling
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c67
--- Comment #67 from Jörg Schiling
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c68
--- Comment #68 from Jörg Schiling
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c69
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c70
--- Comment #70 from Dave Plater
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c71
Dave Plater
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c72
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c73
Dave Plater
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c74
Jan Engelhardt
Any special permissions for cdrecord will only be accepted if there are sound technical reasons, and none of these were listed or referenced in this bugreport yet.
Well the reasons have been posted quite clearly IMO. There was, - support for vendor-specific SCSI commands (I think this is what warrants CAP_SYS_RAWIO), - and support for non-CDROM-type devices - attain RT scheduling etc. The question is only: does openSUSE want to ship that, or a reduced cdrtools that only can deal with standardized MMC CDROM drives at normal priority, for example. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c75
--- Comment #75 from Dave Plater
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c76
--- Comment #76 from Jörg Schiling
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c
Thomas Biege
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c77
--- Comment #77 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c78
--- Comment #78 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c79
--- Comment #79 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c80
--- Comment #80 from Dave Plater
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c81
--- Comment #81 from Dave Plater
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c82
Jan Engelhardt
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c83
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c84
--- Comment #84 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c85
--- Comment #85 from Jörg Schiling
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c86
--- Comment #86 from Jan Engelhardt
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c87
--- Comment #87 from Dave Plater
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c88
--- Comment #88 from Jan Engelhardt
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c89
--- Comment #89 from Dave Plater
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c90
--- Comment #90 from Dave Plater
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c91
--- Comment #91 from Dave Plater
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c92
--- Comment #92 from Dave Plater
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c93
--- Comment #93 from Jörg Schiling
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c94
--- Comment #94 from Jörg Schiling
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c95
--- Comment #95 from Dave Plater
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c96
--- Comment #96 from Dave Plater
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c97
--- Comment #97 from Jörg Schiling
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c98
--- Comment #98 from Jan Engelhardt
working on file-roller's dependency on genisoimage which unfortunately has conflicting binary names but is used for viewing iso's.
That should not be a problem; the dependencies are fixed in multimedia:apps. Just submit m:a/wodim and m:a/cdrtools to Factory, and everything will be fluffy again. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c99
--- Comment #99 from Dave Plater
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c100
--- Comment #100 from Dave Plater
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c101
--- Comment #101 from Jan Engelhardt
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c102
--- Comment #102 from Jörg Schiling
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c103
--- Comment #103 from Jörg Schiling
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c104
--- Comment #104 from Jörg Schiling
(In reply to comment #98) cdrtools still has intermittent build failures on the post script.
Could you please explain why the log files contain warnings about "incorrect" capabilities and the capabilities listed in these warnings do not match the documented list of caps? Is it possible that one or more compile platforms do not have the correct capabilities listed in their known permissions? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c105
--- Comment #105 from Jan Engelhardt
how about removing isoinfo from cdrkit?
No objections here. Dave, do you know about any software that - for whatever reason - would depend on cdrkit-ish isoinfo? Would we have to provide that as /usr/bin/cdrkit-isoinfo instead? (In reply to comment #99)
cdrtools still has intermittent build failures on the post script. (In reply to comment #104) Is it possible that one or more compile platforms do not have the correct capabilities listed in their known permissions?
submit request 175574 should fix that. (It is actually the post-build checks from /usr/bin/build, not the %post section itself.) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c106
Jan Engelhardt
I resubmitted a permissions package with the entries disabled so we can test it via the overrides in the current package [cdrtools SRPM].
It will be a bit until it has passed the checkin workflow again.
rpmlint still throws: E: permissions-unauthorized-file (Badness: 10) /etc/permissions.d/cdrecord.secure E: permissions-unauthorized-file (Badness: 10) /etc/permissions.d/cdrecord.paranoid E: permissions-unauthorized-file (Badness: 10) /etc/permissions.d/cdrecord.easy E: permissions-unauthorized-file (Badness: 10) /etc/permissions.d/cdda2wav.secure E: permissions-unauthorized-file (Badness: 10) /etc/permissions.d/cdda2wav.paranoid E: permissions-unauthorized-file (Badness: 10) /etc/permissions.d/cdda2wav.easy Do we need to change the permissions SRPM or the rpmlint SRPM to get that out of the way? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c107
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c108
--- Comment #108 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c109
--- Comment #109 from Jan Engelhardt
(although I can send _all_ SCSI commands to my libgphoto2 SCSI cameras, so it must be something different I am not aware of.)
Yes. You fail to recognize that your camera is outside the scope of "CD". As has been said before, SCSI resets want to have SYS_ADMIN or SYS_RAWIO as we speak. Your gphoto code does not issue any SCSI resets AFAICS, so of course gphoto won't need such caps. But cdrecord-libscg can issue such commands. (They are in fact HBA commands, not device commands, which is likely why it requires more permissions than what you get with the plain ACL'd device node.) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c
Jörg Schiling
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c110
--- Comment #110 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c111
--- Comment #111 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c112
--- Comment #112 from Jan Engelhardt
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c113
--- Comment #113 from Jan Engelhardt
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c114
--- Comment #114 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c115
--- Comment #115 from Jan Engelhardt
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c116
--- Comment #116 from Jörg Schiling
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c
Jan Engelhardt
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c117
Jan Engelhardt
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c
bob nospam
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c118
qvacfcajdjw@mailinator.com M8R-2yr72d@mailinator.com
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c119
--- Comment #119 from qvacfcajdjw@mailinator.com M8R-2yr72d@mailinator.com
https://bugzilla.novell.com/show_bug.cgi?id=550021 https://bugzilla.novell.com/show_bug.cgi?id=550021#c Bug 550021 depends on bug 856805, which changed state. Bug 856805 Summary: multimedia:apps/cdrtools: Licensing issues http://bugzilla.novell.com/show_bug.cgi?id=856805 What |Old Value |New Value ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c120
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=550021
https://bugzilla.novell.com/show_bug.cgi?id=550021#c121
--- Comment #121 from Juergen Weigert
Also, please recall that Joerg Schilling has threatened SuSE with a lawsuit before:
The threat was about *not* distributing Joergs original version. In comment 118 you raise concers that we *do* distribute Joergs original version. Isn't that a contradiction? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=550021 https://bugzilla.novell.com/show_bug.cgi?id=550021#c Bug 550021 depends on bug 856805, which changed state. Bug 856805 Summary: multimedia:apps/cdrtools: Licensing issues http://bugzilla.novell.com/show_bug.cgi?id=856805 What |Old Value |New Value ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=550021 https://bugzilla.novell.com/show_bug.cgi?id=550021#c Bug 550021 depends on bug 856805, which changed state. Bug 856805 Summary: multimedia:apps/cdrtools: Licensing issues http://bugzilla.novell.com/show_bug.cgi?id=856805 What |Old Value |New Value ---------------------------------------------------------------------------- Status|REOPENED |CLOSED Resolution| |FIXED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com