Package install from online repository, security and paranoia
 

I installed the k3b mad package yesterday from one of the Packman mirrors (packman.iu-bremen.de) to allow burning of audio CDs from mp3 (which also updated a number of other packages to resolve dependencies). Following this, a configuration warning opened up when I restarted k3b telling me that I could experience problems with burning CDs as k3b was not configured to run with root priveliges. I took the option to update k3b's configuration, entering the root password.

I have been worrying since about the possibility of an exploit being installed in this way. On the one hand:

• The installation was done through YaST, which requires the root password to run anyway, so it seems that any exploit would not require this to be entered a second time.
• Packman's repositories are generally a trusted source.
• I have had CD burning failures in the past, which seemed to be due to k3b not running with root priveliges.

However:

• I could run k3b as root when necessary, by launching it from the command line with sudo / su root.

What do you all think?

Rob

I run all that stuff as normal user. You need to make sure your
dvd is writable by users: chmod 666 /dev/dvd or whatever you have as your dvd burner. Then make cdrecord and all the other cd/dvd recording programs owned by root but runnable by users;
chmod 4755 cdrecord.

You shoudln't have to do your cd/dvd burning as root, ever. All you may have to do is make sure your burner is world writable as above. The rest may not even be necessary.

Hmm...

After doing the configuration as I described, ls -l `which k3b` gives:

-rwxr-xr-x 1 root root 2209828 2006-02-28 10:42 /opt/kde3/bin/k3b

and ls -l `which cdrecord` gives:

-rwxr-xr-x 1 root root 336668 2005-09-09 17:40 /usr/bin/cdrecord

I had actually expected that the permissions would have been set to the equivalent of 4755 - i.e. with setuid root (-rwsr-xr-x). Any idea what else it could have done?

Thanks,
Rob