Package install from online repository, security and paranoia
I installed the k3b mad package yesterday from one of the Packman mirrors (packman.iu-bremen.de) to allow burning of audio CDs from mp3 (which also updated a number of other packages to resolve dependencies). Following this, a configuration warning opened up when I restarted k3b telling me that I could experience problems with burning CDs as k3b was not configured to run with root priveliges. I took the option to update k3b's configuration, entering the root password.
I have been worrying since about the possibility of an exploit being installed in this way. On the one hand:
What do you all think? Rob |
Quote:
I run all that stuff as normal user. You need to make sure your dvd is writable by users: chmod 666 /dev/dvd or whatever you have as your dvd burner. Then make cdrecord and all the other cd/dvd recording programs owned by root but runnable by users; chmod 4755 cdrecord. You shoudln't have to do your cd/dvd burning as root, ever. All you may have to do is make sure your burner is world writable as above. The rest may not even be necessary. |
Hmm...
After doing the configuration as I described, ls -l `which k3b` gives: -rwxr-xr-x 1 root root 2209828 2006-02-28 10:42 /opt/kde3/bin/k3b and ls -l `which cdrecord` gives: -rwxr-xr-x 1 root root 336668 2005-09-09 17:40 /usr/bin/cdrecord I had actually expected that the permissions would have been set to the equivalent of 4755 - i.e. with setuid root (-rwsr-xr-x). Any idea what else it could have done? Thanks, Rob |
All times are GMT -5. The time now is 01:52 PM. |