Mailinglist Archive: opensuse-factory (949 mails)
| < Previous | Next > |
Re: [opensuse-factory] Why don't we change to cdrtools ?
- From: Joerg.Schilling@xxxxxxxxxxxxxxxxxxx (Joerg Schilling)
- Date: Thu, 06 Aug 2009 12:59:16 +0200
- Message-id: <4a7ab784.ce1iA72pz9E4mt4c%Joerg.Schilling@xxxxxxxxxxxxxxxxxxx>
Vladimir Nadvornik <nadvornik@xxxxxxx> wrote:
As cdrecord on Solaris works without being root since January 2006 and for this
reason, it is well documented what you need to do:
- create a specific exec atribute for cdrecord and other commands from
cdrtools that contain the needed special fine grained privileges.
- For cdrecord on Solaris, this is:
PRIV_FILE_DAC_READ, PRIV_PROC_LOCK_MEMORY, PRIV_PROC_PRIOCNTL,
PRIV_NET_PRIVADDR, PRIV_SYS_DEVICES,
- For cdda2wav on Solaris, this is:
PRIV_FILE_DAC_READ, PRIV_PROC_PRIOCNTL,
PRIV_NET_PRIVADDR, PRIV_SYS_DEVICES,
- For readcd on Solaris, this is:
PRIV_FILE_DAC_READ,
PRIV_NET_PRIVADDR, PRIV_SYS_DEVICES,
For Linux, PRIV_SYS_DEVICES would need to be translated into what is apropriate
in order to permit sending _any_ SCSI command.
Since 2004, Solaris comes with a complete fine grained privileges environment.
Although Linux did start at a similar time, the implementation still seems to be
only 70% ready. Solaris implements kernel and user space support, Linux
implements kernel support but only a very rudimentary user space support.
It may be that there are other possibilities to make Linux usable (e.g. by using
specific filesystem features that look like mandatory acces control features),
but
these features (and many other important basic features) are treated as
"optional" by most Linux disistros (the exception seems to be a single turkish
distro).
See above, your asumptions about SCSI are incorrect and not having the needed
privileges is one reason for aprox. 10-20% of the documented wodim bugs.
As there is no clean concept for SCSI generic pass through on Linux, it is hard
to implement workarounds for the constantly "drifting" user interfaces from the
Linux kernel.
libscg implements a stable interface to the users of this lib but this unly
works because I am using a very conservative design approach. People who don't
understand the problems with the Linux kernel/user interface tend to implement
solutions that work only for today but fail a short time later. This is what
happens with wodim.
Jörg
--
EMail:joerg@xxxxxxxxxxxxxxxxxxxxxxxxxxx (home) Jörg Schilling D-13353 Berlin
js@xxxxxxxxxxxxxxx (uni)
joerg.schilling@xxxxxxxxxxxxxxxxxxx (work) Blog:
http://schily.blogspot.com/
URL: http://cdrecord.berlios.de/private/ ftp://ftp.berlios.de/pub/schily
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-factory+help@xxxxxxxxxxxx
What changes in Linux are required to support cdrecord without rootThe fact that cdrecord with suid is able to use such device could be even
considered a security bug.
Cdrecord is carefully audited and you definitely _need_ root permissions if
you like to offer the features that cdrecord offers. Linux did _always_
require root privileges for such programs.
permissions correctly?
As cdrecord on Solaris works without being root since January 2006 and for this
reason, it is well documented what you need to do:
- create a specific exec atribute for cdrecord and other commands from
cdrtools that contain the needed special fine grained privileges.
- For cdrecord on Solaris, this is:
PRIV_FILE_DAC_READ, PRIV_PROC_LOCK_MEMORY, PRIV_PROC_PRIOCNTL,
PRIV_NET_PRIVADDR, PRIV_SYS_DEVICES,
- For cdda2wav on Solaris, this is:
PRIV_FILE_DAC_READ, PRIV_PROC_PRIOCNTL,
PRIV_NET_PRIVADDR, PRIV_SYS_DEVICES,
- For readcd on Solaris, this is:
PRIV_FILE_DAC_READ,
PRIV_NET_PRIVADDR, PRIV_SYS_DEVICES,
For Linux, PRIV_SYS_DEVICES would need to be translated into what is apropriate
in order to permit sending _any_ SCSI command.
Since 2004, Solaris comes with a complete fine grained privileges environment.
Although Linux did start at a similar time, the implementation still seems to be
only 70% ready. Solaris implements kernel and user space support, Linux
implements kernel support but only a very rudimentary user space support.
It may be that there are other possibilities to make Linux usable (e.g. by using
specific filesystem features that look like mandatory acces control features),
but
these features (and many other important basic features) are treated as
"optional" by most Linux disistros (the exception seems to be a single turkish
distro).
I know about mlock and realtime priority. Anything else? The list of filtered
scsi commands seems to be complete so there should not be a problem.
See above, your asumptions about SCSI are incorrect and not having the needed
privileges is one reason for aprox. 10-20% of the documented wodim bugs.
It is a lot more risky if you use software that has been influenced byCould you please explain the techical background here?
people who fail to understand the background. Eduard Bloch is such a
person....
And BTW: wodim has problems with dealing with e.g. SATA drives regardless
on whether you are root.
As there is no clean concept for SCSI generic pass through on Linux, it is hard
to implement workarounds for the constantly "drifting" user interfaces from the
Linux kernel.
libscg implements a stable interface to the users of this lib but this unly
works because I am using a very conservative design approach. People who don't
understand the problems with the Linux kernel/user interface tend to implement
solutions that work only for today but fail a short time later. This is what
happens with wodim.
Jörg
--
EMail:joerg@xxxxxxxxxxxxxxxxxxxxxxxxxxx (home) Jörg Schilling D-13353 Berlin
js@xxxxxxxxxxxxxxx (uni)
joerg.schilling@xxxxxxxxxxxxxxxxxxx (work) Blog:
http://schily.blogspot.com/
URL: http://cdrecord.berlios.de/private/ ftp://ftp.berlios.de/pub/schily
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-factory+help@xxxxxxxxxxxx
| < Previous | Next > |