From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Rr3ha-0001zS-VZ for garchives@archives.gentoo.org; Sat, 28 Jan 2012 08:32:03 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A577FE0C11; Sat, 28 Jan 2012 08:31:53 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 7A1DBE0BB2 for ; Sat, 28 Jan 2012 08:30:54 +0000 (UTC) Received: from pomiocik.lan (unknown [213.146.33.185]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: mgorny) by smtp.gentoo.org (Postfix) with ESMTPSA id C80E01B400E; Sat, 28 Jan 2012 08:30:52 +0000 (UTC) Date: Sat, 28 Jan 2012 09:32:27 +0100 From: =?UTF-8?B?TWljaGHFgiBHw7Nybnk=?= To: gentoo-dev@lists.gentoo.org Cc: ssuominen@gentoo.org Subject: Re: [gentoo-dev] useless set*id binaries Message-ID: <20120128093227.14d208f4@pomiocik.lan> In-Reply-To: <4F234A61.3020409@gentoo.org> References: <201201271914.45638.vapier@gentoo.org> <4F233EBF.8040504@gentoo.org> <201201271941.13417.vapier@gentoo.org> <4F234A61.3020409@gentoo.org> Organization: Gentoo X-Mailer: Claws Mail 3.8.0 (GTK+ 2.24.8; x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA256; boundary="Sig_/6W97yM0A5SBj9H+5Ythq6Z="; protocol="application/pgp-signature" X-Archives-Salt: 40fc7fab-58f8-40da-b2a9-da2ecb1852c2 X-Archives-Hash: caa5e3b7d35961f9b952783ffa972474 --Sig_/6W97yM0A5SBj9H+5Ythq6Z= Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Sat, 28 Jan 2012 03:07:45 +0200 Samuli Suominen wrote: > On 01/28/2012 02:41 AM, Mike Frysinger wrote: > > On Friday 27 January 2012 19:18:07 Samuli Suominen wrote: > >> On 01/28/2012 02:14 AM, Mike Frysinger wrote: > >>> along these lines, why is cdrtools set*id ? if we have a "cdrom" > >>> group, and we assign our cdroms/dvdroms to that group, then we > >>> already have access control in place and can skip the set*id. > >> > >> cdrtools can't probe the drives without the binary being setuid, > >> or the user belonging to the 'disk' group (and even that is not > >> enough in some cases if the permissions vary) > > > > the drives are owned by the "cdrom" group and have group +rw. so > > if the user is in the "cdrom" group, why can't they probe the > > drives ? > > > > "disk" owns the non-removable hard drives. > > > > $ ls -l /dev/sr0 /dev/sg0 /dev/sg6 > > crw-rw---- 1 root disk 21, 0 Jan 6 23:07 /dev/sg0 > > crw-rw---- 1 root cdrom 21, 6 Jan 6 23:07 /dev/sg6 > > brw-rw---- 1 root cdrom 11, 0 Jan 17 22:28 /dev/sr0 > > -mike >=20 > i dont know why, but it does probe also non-removable disks... it > probes per bus, iirc >=20 > you can try it easily yourself: >=20 > ssuominen@null ~ $ cdrecord -scanbus Does user actually need to be able to do this? Doesn't passing dev=3D... directly work? --=20 Best regards, Micha=C5=82 G=C3=B3rny --Sig_/6W97yM0A5SBj9H+5Ythq6Z= Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iJwEAQEIAAYFAk8jsqAACgkQfXuS5UK5QB2vxgP/f9JrwGwfwFEANKVwtVQNQ05y uLLfL4HoMsxIXKz37Ha/3ubGzViu3jWz7Tb6cJYAg28vegqQ2z4+NggoF5o+Kwre unFIEsMZWH6OGLOsognJUh5CHLCsJK7q6MqlSNoOjISwlU7YBW4RFAuzuiawZvnX atQQQpbqcVD6qk/PFC0= =/Os0 -----END PGP SIGNATURE----- --Sig_/6W97yM0A5SBj9H+5Ythq6Z=--