From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1RqxoM-0000MR-37 for garchives@archives.gentoo.org; Sat, 28 Jan 2012 02:14:38 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C66E4E0AA1; Sat, 28 Jan 2012 02:14:27 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 5DD81E0A70 for ; Sat, 28 Jan 2012 02:13:37 +0000 (UTC) Received: from vapier.localnet (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id C70901B4001 for ; Sat, 28 Jan 2012 02:13:36 +0000 (UTC) From: Mike Frysinger Organization: wh0rd.org To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] useless set*id binaries Date: Fri, 27 Jan 2012 21:14:37 -0500 User-Agent: KMail/1.13.7 (Linux/3.2.0; KDE/4.6.5; x86_64; ; ) References: <201201271914.45638.vapier@gentoo.org> <201201272049.16394.vapier@gentoo.org> <4F23543D.60601@gentoo.org> In-Reply-To: <4F23543D.60601@gentoo.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart4192664.3DB35kjYQn"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <201201272114.37584.vapier@gentoo.org> X-Archives-Salt: 9591bef2-9b2f-4055-b466-6f9ef4c9236f X-Archives-Hash: 6f8bebc141f367469fa312ca208d5ae9 --nextPart4192664.3DB35kjYQn Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable On Friday 27 January 2012 20:49:49 Samuli Suominen wrote: > and people have multiple times tried to convince the cdrtools author to > change this, but without success. > the author can be, well, ... sure, i'm not expecting him to be anything resembling reasonable. but if w= e=20 can reduce set*id impact by default and that means carrying a custom patch,= i=20 think that's OK. i thought we used to have set*id USE flags, but maybe all the packages with= it=20 have migrated away. my proposal would be to add a patch to ignore EACCES just like it already d= oes=20 for ENOENT. then add a setuid USE flag that'd give the behavior we have to= day=20 (disabled by default) for the binaries that do writing. the ones that only= =20 read have no excuse for needing setuid. then if the user has built with US= E=3D- setuid, we elog a message like: you've built with USE=3D-setuid. that means in order to access your discs, you need to add yourself to the cdrom group. if your burning does not go well, you can try adding the cdrom group to limits.conf with rtprio/mlock access like so: =2Dmike --nextPart4192664.3DB35kjYQn Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) iQIcBAABAgAGBQJPI1oNAAoJEEFjO5/oN/WB7dEP+wdclE82Vcj00vcZJE+aUBsy GC7yHXLMvPM/9MFau5qaV12v8Z/uNmCLFG6A0D1ReFwzIB9blh4l4YT8O6rnmeU+ C4xLbKAQ+burLRkjr2LGnxxeDkGdX2or4DiF6OZKj4jJtlVdep41nk6d6khQz2Y/ Kvizu1wjEf37kgmb+wMcWebhVv0+T5teeZYw7VcgPhIZVSA4N4r4x1DvL3Wvk6CE eNxF/04Mi1tzZbsvHpQLmtEl0Fm8Tlxx4Ova/oh4D1j0FQ0YQaepvbLLLyLkS7gF 7Vrhtv2ZM6bVsMA7RvVf29h//zC8ui/GOtwE1qwzAErkKpsAkNZxQAUZWFSDVqTR Ew/DH/DxJ2yZ9b48nebW6uXEBgucNgJkRwJbkrVVN5K5GiMtNwSpiX3gOKF53HN+ krUelMuH9Jzau4dSAacSdHirkdakuvgltW5IuZCCQTVuuFw8vgC4gILjc5aE/13C bajuqsUzg99DhQI9rUKJmpiHMuv7nOGMWwy/FzV3x1GRTx7TpuESv3DLhxXzctrE KsXvzzMYdmWyiy6dENuumKZ6gUaYgpqqZc3r99AH7xapCG5p31M94b9GeuuIyPR2 6BVhcxe3z+vbB4nS6ldzv6ohBHTT4AmLnGlMhXR/S3ZpaI2wobti3eJV5Jw0ppik cPGgPhBfSbqnz4BNKvkP =eVVW -----END PGP SIGNATURE----- --nextPart4192664.3DB35kjYQn--