(was: Re: PATCH: cdrecord: avoiding scsi device numbering for ide devices)

[John Myers <electronerd@monolith3d.com>]

[-- Attachment #1: Type: text/plain, Size: 2124 bytes --]

Christer Weinigel wrote:

> Pascal Schmidt <der.eremit@email.de> writes:

> [...] if I have write permisson to a CD burner, being able to
> burn a coaster by issuing strange commands is something I expect.
> Being able to destroy the firmware of the drive is not something I
> expect a normal user to be able to do.
> 
> There are at least three conflicting goals here:
> 
> 1. Only someone with CAP_SYS_RAWIO (i.e. root) should be able to do
>    possible destructive things to a device, and only root should be
>    able to bypass the normal security checks in the kernel (e.g. get
>    access to /dev/mem since access to it means that you can read and
>    modify internal kernel structures).
> 
> 2. A Linux system should have as few suid root binaries as possible.
> 
> 3. A normal user should be able to perform most tasks without needing
>    root.
> 

I hope this is not a stupid idea:

I propose a finer-grained approach to suid-root binaries. Perhaps, 
instead of having a single flag giving the binary all the rights and 
responsibilities of its owner, there could be a table/list/something of 
capabilities which we want to grant to the binary. This, of course, 
would be a privileged operation (perhaps a new capability?).

For example, we might want to grant cdrecord CAP_SYS_RAWIO. This way, we 
don't have to worry about cdrecord running as root and not dropping all 
the capabilities it doesn't need, by accident or by malice.

Further, and I realize that this would probably require major 
restructuring, perhaps there could be another field: for each capability 
we want to grant, a method to specify _where_ the binary can use that 
capability.

To extend the previous example: we might want to give cdrecord 
CAP_SYS_RAWIO just on, say, /dev/burner0 and /dev/burner1, but not 
/dev/hda. That way, some typo won't have us trying to burn cds with our 
hard disks.

Again, I hope it's not a stupid idea. I don't have a working 
implementation, and I'm not even sure if it's even possible, but it's a 
thought.
-- 
electronerd (jonathan s myers)
code poet and recycle bin monitor
programmer, monolith3d.com

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 254 bytes --]