[Kreatecd-devel] Security improvements (was: Back)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Wednesday, 15. August 2001 12:16, Niels Reedijk wrote:
> Hi Joseph and Alex,
>
> I'm back, and currently looking at what you've done lately. Looking good
> :-)
>

I just try to increase the suid root secuity of kreatecd by using a special 
wrapper for calling privileged helper apps. This wrapper can carefully 
designed to avoid security risks more easily. The main kreatecd executable 
will have no potential root privileges after that.

If you don't want the user to call cdrecord, mkisofs, cdda2wav etc. you will 
have to forbid calling the wrapper by creating a group for kreatecd, set 
kreatecd setgid and make the wrapper only executable by this group. The group 
should not have any special privileges.

Calling cdrecord manually through the wrapper (if not doing setgid) shouldn't 
be a problem either as you probably can use kreatecd to create the command 
line you need anyway (as long there is no security problem in cdrecord - but 
cdrecord is designed with security concepts in mind too)

Alexander