[Libburn] New error

Bryan Forbes bryan at reigndropsfall.net
Mon Aug 23 08:23:26 PDT 2004 

I was just told by teuf and mjg59, in #gnome-hackers, that there is a
patch in kernel 2.6.8 that only allows burning with root.  Here's the
log:

<mxpxpod> something with the new 2.6.8 kernel makes libburn freak out
<mxpxpod> which is not good for coaster
<teuf> mxpxpod, yeah, that's a known issue with 2.6.8
<mxpxpod> teuf: really?
<teuf> mxpxpod, cd burning only works as root with it
<mxpxpod> teuf: well, when are they going to fix that?
<teuf> mxpxpod, in the next release ?
<teuf> I think they backed out the patch
<mxpxpod> teuf: good, thanks
<mjg59> teuf: No, they're not backing it out
<mxpxpod> mjg59: why not??
<mjg59> mxpxpod: Because the current situation is that anyone with read
access to a scsi generic device can destroy the hardware
<mxpxpod> mjg59: :(
<mjg59> 2.6.8 fixes that, so you need CAP_RAWIO instead
<mxpxpod> mjg59: is that a flag?
<teuf> mjg59, ah ok, I didn't follow the issue too closely
<mjg59> mxpxpod: It's a capability
<mxpxpod> mjg59: how's it work?
<mjg59> Root has it by default
<mjg59> So the easiest thing is to make the app suid root and then
immediately drop all privileges other than RAWIO
<mxpxpod> mjg59: how do I do that?
<jamesh> to make cd burning as an unpriveleged user really safe, the
kernel would probably need to include enough of the CD writing code to
allow you to do "cat cdimage.iso > /dev/cdrom"
<mjg59> mxpxpod: Which bit?
<mxpxpod> mjg59: the part about dropping all other privs
<mjg59> mxpxpod: capget, and then mask off all the bits you don't need
<mjg59> Then capset it back
<mxpxpod> mjg59: is capget a kernel function?
<mjg59> mxpxpod: Yeah, there's an easier interface through libc. See
capabilities(7)
<teuf> mxpxpod, see
http://www.ussg.iu.edu/hypermail/linux/kernel/0408.2/0091.html for a
thread about your problem

I'm not sure how to do that because Gtk+ doesn't allow me to run a
program setuid root.  I'm talking with mjg59 now about how to get this
to work.

On Mon, 2004-08-23 at 02:28 -0500, Derek Foreman wrote:
> On Sun, 22 Aug 2004, Bryan Forbes wrote:
> 
> > I just upgraded my kernel to 2.6.8 and I'm getting a new error with
> > libburn.  If I run the devices test, I get this on the command line:
> >
> > Initializing library...Success
> > Scanning for devices...devices: libburn/sg.c:247: sg_issue_command:
> > Assertion `err != -1' failed.
> > Killed
> 
> Nice.
> 
> You sure you have the right permissions on your cd burning device?  Can 
> you duplicate this while running as root?
> 
> My guess is that you've only got read access to the device node or 
> something along those lines.  And the only fix I'll be able to give you 
> will just make libburn refuse to use the device at all when it's 
> configured like that.
> 
> I think 2.6.8 added some command filtering stuff to prevent malicious 
> users from being able to destroy drives.
> 
> It looks like the command to unlock the drive door isn't allowed.  Amusing 
> because it appears to have been ok to lock it in the first place.
> 
> oh, and I think "thread apply all bt full" is what I'm looking for - but 
> I don't need any more info here.  This is most likely a device permission 
> problem or a kernel bug.
-- 
======================================================================
Bryan Forbes
bryan at reigndropsfall.net
http://www.reigndropsfall.net

"It does not take a majority to prevail, but rather an irate, tireless
minority keen to set brush fires in people's minds."
        - Samuel Adams, an architect of the Constitution

Key fingerprint = 3D7D B728 713A BB7B B8B1  5B61 3888 17E0 70CA 0F3D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://freedesktop.org/pipermail/libburn/attachments/20040823/131d0ad4/attachment.pgp

More information about the libburn mailing list