On Fri, 2004-08-20 at 12:57 -0400, Jeremy Katz wrote: > On Fri, 2004-08-20 at 12:47 -0400, Sean Middleditch wrote: > > k3b uses the cdrecord command line tool to do its work, iirc. You don't > > need to run k3b as root, just make cdrecord setuid. Which is exactly > > how the cdrecord author has always told people to use it. If you want > > to limit who can use cdrecord, change it's group and remove execute > > permissions for 'others'. Then only people in the group (or root) can > > execute cdrecord, and because its setuid root, it'll always work. > > ... > > which is a bad idea as I can now burn anything on the filesystem. Want > a copy of /etc/shadow to start cracking those passwords? Now you can > get one :) Point. You can then just set the RAWIO capability. I don't know if the filesystems these days allow setting those; a setuid wrapper that drops privileges but executes the real cdrecord with the necessary capability should work, no? > > Jeremy > > -- Sean Middleditch <elanthis@xxxxxxxxxxxxxxx> AwesomePlay Productions, Inc.
