FS#66073 : [cdrtools] no read permission

FS#66073 - [cdrtools] no read permission

Attached to Project: Community Packages
Opened by Justin Capella (justincapella) - Thursday, 02 April 2020, 03:10 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:01 GMT

Task Type	Bug Report
Category	Packages
Status	Closed
Assigned To	Jerome Leclanche (Adys)
Architecture	All
Severity	Low
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

Description:

Found the permissions odd

-rws--x--x 1 root root 382992 Oct 8 12:19 /usr/bin/cdda2wav
-rws--x--x 1 root root 574416 Oct 8 12:19 /usr/bin/cdrecord
lrwxrwxrwx 1 root root 8 Oct 8 12:19 /usr/bin/icedax -> cdda2wav
-rws--x--x 1 root root 345168 Oct 8 12:19 /usr/bin/readcd
lrwxrwxrwx 1 root root 6 Oct 8 12:19 /usr/bin/readom -> readcd
-rws--x--x 1 root root 139032 Oct 8 12:19 /usr/bin/rscsi
lrwxrwxrwx 1 root root 8 Oct 8 12:19 /usr/bin/wodim -> cdrecord

Additional info:
* package version(s) 3.02a09-2
* config and/or log files etc.
* link to upstream bug report, if any

Steps to reproduce:

This task depends upon

Closed by Buggy McBugFace (bugbot)
Saturday, 25 November 2023, 20:01 GMT
Reason for closing: Moved
Additional comments about closing: https://gitlab.archlinux.org/archlinux/p ackaging/packages/cdrtools/issues/1

Comment by lukpod (lukpod) - Friday, 26 February 2021, 16:48 GMT

Also setuid/setgid is not needed with logind and udev.

Comment by loqs (loqs) - Friday, 26 February 2021, 21:54 GMT

@lukpod ~~FS#67265~~ where without seduid or file caps image recording failed.

Comment by lukpod (lukpod) - Sunday, 28 February 2021, 20:17 GMT

https://man.archlinux.org/man/core/shadow/groupmems.8#SETUP
https://github.com/shadow-maint/shadow/commit/a73d4aee753a09b8a4a074df26e06edc7e243d16

Comment by loqs (loqs) - Sunday, 28 February 2021, 20:53 GMT

@lukpod could you please provide a diff of the changes you are proposing to the current PKGBUILD if any.

Comment by lukpod (lukpod) - Sunday, 28 February 2021, 21:54 GMT

Lack of read permissions is correct for setuid executables [1][2] and optical drives are accessible to logged in users regardless of group membership [3][4]. As long as setuid is used the current permissions are correct.

[1] https://man.archlinux.org/man/core/shadow/groupmems.8#SETUP
[2] https://github.com/shadow-maint/shadow/commit/a73d4aee753a09b8a4a074df26e06edc7e243d16
[3] https://wiki.archlinux.org/index.php/Users_and_groups#Pre-systemd_groups
[4] https://github.com/systemd/systemd/blob/main/rules.d/70-uaccess.rules.in

Comment by loqs (loqs) - Sunday, 28 February 2021, 21:59 GMT

So revert the capabilities added in ~~FS#67265~~ rather than dropping the setuid?
Edit:
From AN03.01 in the tarball:
Note that cdrtools (as any other command) need to be capabylity-aware
in order to avoid security leaks with enhanced privileges. In most
cases, privileges are only needed for a very limited set of operations.
If cdrtools (cdrecord, cdda2wav, readcd) are installed suid-root, the
functions to control privileges are in the basic set of supported
functions and thus there is no problem for any program to control it's
privileges - if they have been obtained via suid root, you are on a
secure system.
So either should work and using both seems duplicative.

Comment by lukpod (lukpod) - Monday, 27 September 2021, 00:16 GMT

https://gitlab.archlinux.org/pacman/pacman/-/blob/v6.0.0/NEWS#L18
https://gitlab.archlinux.org/pacman/pacman/-/blob/v6.0.0/NEWS#L35
https://gitlab.archlinux.org/pacman/pacman/-/commit/3a23abb2ec0c99d74719f97dcc9d097a105fe42b
https://gitlab.archlinux.org/pacman/pacman/-/commit/88d054093c1c99a697d95b26bd9aad5bc4d8e170

https://github.com/cartazio/cdrtools-mirror/blob/master/AN-3.01#L1613-L1614
https://github.com/cartazio/cdrtools-mirror/blob/master/cdrecord/priv.c#L75-L88
https://github.com/cartazio/cdrtools-mirror/blob/master/AN-3.01#L1699-L1700
https://github.com/cartazio/cdrtools-mirror/blob/master/AN-3.01#L1828-L1829

Comment by Buggy McBugFace (bugbot) - Tuesday, 08 August 2023, 19:11 GMT

This is an automated comment as this bug is open for more then 2 years. Please reply if you still experience this bug otherwise this issue will be closed after 1 month.

Comment by lukpod (lukpod) - Monday, 11 September 2023, 20:20 GMT

The cdrtools package is now in the Extra repository so the project should be changed from Community Packages to Arch Linux.

https://gitlab.archlinux.org/archlinux/packaging/packages/cdrtools/-/commit/d426803cbb743a85e10c1cd8c1ff12d3224c644d

https://codeberg.org/schilytools/schilytools
https://codeberg.org/schilytools/schilytools/releases

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#66073 - [cdrtools] no read permission

Details

Loading...