setuid cdrecord vs. wodim

[Bill Davidsen]

Michael Schwendt wrote:
> On Fri, 23 May 2008 22:44:17 -0400, Bill Davidsen wrote:
> 
>> Michael Schwendt wrote:
>>> On Tue, 20 May 2008 17:33:24 +0200, Valent Turkovic wrote:
>>>
>>>> Hi,
>>>> this guide is the best guide for Fedora 9!
>>>>
>>>> http://fedoraguide.info/index.php/Main_Page
>>>> http://digg.com/linux_unix/Best_guide_for_Fedora_9_ever
>>>>
>>>> How to setup MP3 and Video codecs, ATI and Nvidia drivers,
>>>> CompizFusion, etc... you need it they got it :)
>>>>
>>>> Probably most of your question about Fedora 9 are answered there and
>>>> the solutions are simple.
>>> Whoever added the setuid cdrecord stuff for k3b, please delete that
>>> or at least give the rationale for making the tools +s. k3b's warning
>>> can't be the only reason.
>>>
>> Just a clarification, I cdrecord is not installed on FC9 at all, rather 
>> there is a program called "wodim" which is linked to cdrecord. Wodim is 
>> a modified version of an old version of cdrecord, not the current 
>> program from the original author.
>>
>> By any name the kernel filters commands send to the burner which 
>> prevents certain commands from being sent unless you are root, 
>> particularly commands specific to a particular vendor.
> 
> So, in other words, Fedora does not work out of the box with such
> hardware?
> 
> This is an important question, because one argument against Linux
> is the number of things to fiddle with [at the command-line] before
> a setup becomes usable. (Lots of howtos suggest changing ownership and
> permissions of device files, for example.)
> 
> If setuid here is a requirement, why is it disabled in the Fedora
> package? If memory serves correctly, the cdrecord code drops
> privileges after setting up stuff. Is setuid needed or not?
> 
I believe the correct answer is "sometimes" and see below why.

> The wodim man page says:
> 
>     Root  permissions  are usualy required to get higher process scheduling
>     priority.
> 
> That was claimed as unnecessary a couple of times before.
> 
I regard it as unnecessary on a typical system, required on a system 
with high load. Use of a larger than default fifo and burnfree has been 
enough to handle scheduling issues for me, even on a humble Celeron with 
high load.

>     In order to be able to use the SCSI transport subsystem of the OS,  run
>     at  highest priority and lock itself into core wodim either needs to be
>     run as root, needs to be installed suid root  or  must  be  called  via
>     RBACs pfexec mechanism.
> 
Without a lot of checking of source code, I can only say that either 
wodim is not using all of the commands used by cdrecord OR the kernel 
has been modified to accept the command which the Linus kernel blocks. I 
don't know the answer. The priority and locking in core don't seem to be 
needed for typical CPU and memory loads.

However, (a) wodim is based on a older version of cdrecord, and (b) 
cdrecord has had some critical updates for D/L DVD and for BlueRay media 
in the last month or so. I would expect the original tree of cdrecord to 
require setuid and to work better with some hardware. Wodim works with 
almost all CD and single layer DVD applications.

I also use growisofs (better user interface to multi-session), and 
cdrskin (another OK license).


-- 
Bill Davidsen <davidsen at tmr.com>
   "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot