diff options
author | Igor Pashev <pashev.igor@gmail.com> | 2012-12-31 05:04:42 +0400 |
---|---|---|
committer | Igor Pashev <pashev.igor@gmail.com> | 2012-12-31 05:04:42 +0400 |
commit | 71dc8760ff4de5f365330d1bc571d934deb54af9 (patch) | |
tree | 7346d42a282562a3937d82307012b5857d642ce6 /doc/READMEs/README.suidroot | |
download | cdrkit-upstream/1.1.11.tar.gz |
Imported Upstream version 1.1.11upstream/1.1.11upstream
Diffstat (limited to 'doc/READMEs/README.suidroot')
-rw-r--r-- | doc/READMEs/README.suidroot | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/doc/READMEs/README.suidroot b/doc/READMEs/README.suidroot new file mode 100644 index 0000000..b1198d6 --- /dev/null +++ b/doc/READMEs/README.suidroot @@ -0,0 +1,29 @@ + +This is an example of how to install wodim and other cdrkit applications to get +the root permissions in a safer way. + +Usually it is not a good idea to run the applications as root or to +give users the means to run wodim as root. This gives them an easy way +to fetch sensitive data by writing it to the disk, or pass arbitrary +SCSI commands, e.g. formatting a SCSI disk. + +This also applies to root-mode wrappers like sudo, they should be used with +the most possible care. + +The alternative way is installing wodim as suid-root application. In this +mode, wodim checks permission of the device access by comparing the ownership +of the device node user/group attributes for the real UID/GID of the calling +user. + +To give all user access to use wodim, enter: + + chown root /usr/local/bin/wodim + chmod 4711 /usr/local/bin/wodim + +To give a restricted group of users access to wodim, add a group +"cdburners" to your system and add the trusted users to this group. +Then enter: + + chown root:cdburners /usr/local/bin/wodim + chmod 4710 /usr/local/bin/wodim + |