Re: Announcement re suid'd cdrecord

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



David L Norris wrote:

> On Fri, 2004-09-10 at 10:38 +0100, Paul Howarth wrote:
>> > There was an announcement yesterday about updating cdrecord if it has
>> > been manually suid'd. The link didn't give me any further information
>> > but does that mean if it's not been suid'd then do not update it.
> 
> If it is on your system then it would be wise to update.
> 
>> This is a wild guess having not looked at the code, but I suspect that
>> the updated cdrecord will refuse to run if it has been installed setuid
>> root because, as the update announcement noted, that would be a very
>> stupid thing to do.
> 
> There's a CVE number attached to the announcement.  That means there is
> some sort of security problem.  (And the announcement subject states
> SECURITY.)  Anyone who sets the vulnerable version of cdrecord suid root
> could allow a malicious user to gain root privileges.
> 
> Many programs that have security flaws and are suid root can be used to
> compromise the security of the entire system.  Thinking toward future
> security flaws one can conclude that it is unwise to allow everyone run
> anything with unrestricted root privileges.  The only programs which
> deserve to be suid root are simple programs (such as console-helper)
> which hopefully have had thorough security reviews.
> 
> Also, ponder this: cdrecord will allow the user to write data to files,
> disks, etc.  If cdrecord is suid root then any malicious (or stupid)
> user could easily destroy system files or entire storage devices.  Any
> program that has the ability to write to files should never be suid
> root.
> 

And given that recent linux kernels disallow cd writing except as root, what
do you propose?



[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux