FS#66073 - [cdrtools] no read permission

Attached to Project: Community Packages
Opened by Justin Capella (justincapella) - Thursday, 02 April 2020, 03:10 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:01 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Jerome Leclanche (Adys)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No



Found the permissions odd

-rws--x--x 1 root root 382992 Oct 8 12:19 /usr/bin/cdda2wav
-rws--x--x 1 root root 574416 Oct 8 12:19 /usr/bin/cdrecord
lrwxrwxrwx 1 root root 8 Oct 8 12:19 /usr/bin/icedax -> cdda2wav
-rws--x--x 1 root root 345168 Oct 8 12:19 /usr/bin/readcd
lrwxrwxrwx 1 root root 6 Oct 8 12:19 /usr/bin/readom -> readcd
-rws--x--x 1 root root 139032 Oct 8 12:19 /usr/bin/rscsi
lrwxrwxrwx 1 root root 8 Oct 8 12:19 /usr/bin/wodim -> cdrecord

Additional info:
* package version(s) 3.02a09-2
* config and/or log files etc.
* link to upstream bug report, if any

Steps to reproduce:
This task depends upon

Closed by  Buggy McBugFace (bugbot)
Saturday, 25 November 2023, 20:01 GMT
Reason for closing:  Moved
Additional comments about closing:  https://gitlab.archlinux.org/archlinux/p ackaging/packages/cdrtools/issues/1
Comment by lukpod (lukpod) - Friday, 26 February 2021, 16:48 GMT
Also setuid/setgid is not needed with logind and udev.
Comment by loqs (loqs) - Friday, 26 February 2021, 21:54 GMT
@lukpod  FS#67265  where without seduid or file caps image recording failed.
Comment by lukpod (lukpod) - Sunday, 28 February 2021, 20:17 GMT Comment by loqs (loqs) - Sunday, 28 February 2021, 20:53 GMT
@lukpod could you please provide a diff of the changes you are proposing to the current PKGBUILD if any.
Comment by lukpod (lukpod) - Sunday, 28 February 2021, 21:54 GMT
Lack of read permissions is correct for setuid executables [1][2] and optical drives are accessible to logged in users regardless of group membership [3][4]. As long as setuid is used the current permissions are correct.

[1] https://man.archlinux.org/man/core/shadow/groupmems.8#SETUP
[2] https://github.com/shadow-maint/shadow/commit/a73d4aee753a09b8a4a074df26e06edc7e243d16
[3] https://wiki.archlinux.org/index.php/Users_and_groups#Pre-systemd_groups
[4] https://github.com/systemd/systemd/blob/main/rules.d/70-uaccess.rules.in
Comment by loqs (loqs) - Sunday, 28 February 2021, 21:59 GMT
So revert the capabilities added in  FS#67265  rather than dropping the setuid?
From AN03.01 in the tarball:
Note that cdrtools (as any other command) need to be capabylity-aware
in order to avoid security leaks with enhanced privileges. In most
cases, privileges are only needed for a very limited set of operations.
If cdrtools (cdrecord, cdda2wav, readcd) are installed suid-root, the
functions to control privileges are in the basic set of supported
functions and thus there is no problem for any program to control it's
privileges - if they have been obtained via suid root, you are on a
secure system.
So either should work and using both seems duplicative.
Comment by lukpod (lukpod) - Monday, 27 September 2021, 00:16 GMT Comment by Buggy McBugFace (bugbot) - Tuesday, 08 August 2023, 19:11 GMT
This is an automated comment as this bug is open for more then 2 years. Please reply if you still experience this bug otherwise this issue will be closed after 1 month.
Comment by lukpod (lukpod) - Monday, 11 September 2023, 20:20 GMT