Using cdrecord SUID-root (Was "Re: usb mounting")

[Kurt Wall]

On Monday 31 January 2005 05:30, Roger Oberholtzer wrote:

> This is a cdrecord issue. It is just that k3b is trying to help. When
> you install cdrecord, you have an option to make it SUID root, which
> will allow it to change its priority to a higher level so you do not
> have buffer under-runs, which will result in drinks accessories. k3b
> is just letting you know that your install of cdrecord cannot change
> priorities. k3b does not care one way or the other. If you have
> happily been using cdrecord as it is currently installed, then do not
> change it. I think the Gentoo folk suggest not making the suggested
> change to the program. There is probably no problem making the
> change. But as a general rule, SUID programs are a potential security
> risk. The fewer the better. It is really a preference issue.

To further aggravate the situation, changes in the kernel's SCSI layer 
in 2.6.8.1 and later now prevent cdrecord from working when it is set 
SUID-root. This is one of the things that Joerg Schilling compains 
about vis-a-vis Linux and burning CDs.

<digression>
Personally, I think SUID-root apps are fine as long as you control 
access to them. They present an inherent security risk, of course, but 
so does running code built by a compiler you didn't create yourself. It 
all comes down to the level of risk you're willing to tolerate and the 
value of the resources you might lose or have to recover if something 
goes awry. Obviously, you don't want random users executing SUID-root 
programs via a Web interface, but who in their right mind runs cdrecord 
from over the Internet using a Web browser (just to cite an extreme 
example).
</digression>

Kurt