k3b and permissions

by Juliet Kemp

We have k3b installed locally for users to burn CDs/DVDs/etc. This only gets used very infrequently, and it seems that something else has broken every time it does get used.

This time it was a "Cannot find writer" error. I checked for the presence of cdrecord and dvd-rw-tools; all fine. Eventually it turned out to be a permissions error - that /dev/cdrom was set to be only user- and group-writable; and the user was not in the relevant group. Added them, log in & out, all well.

This is curious, because I am 100% confident that I haven't changed anything on either /dev/cdrom (or the relevant group membership). Which implies that it has been changed with an update at some point. I'm not sure I see the point of this. Is being able to write to /dev/cdrom really such a security risk?

The longer-term solution is (assuming this doesn't break anything; I haven't checked yet) to set the cdrom group to come from LDAP and automatically put all users in it, to avoid having to do this for multiple machines.


3 Comments

Caitlyn Martin
2007-10-11 08:56:04
I have run into the same issue with K3B and GnomeBaker. I can't address what process makes the permissions change. I don't even know which distro we're discussing. I do think your solution, to have LDAP control who has write access to the CD writer, is an excellent one that leaves all the proper security mechanisms in place. For folks who don't use LDAP this could also be done in a sudoers file or in NIS/NIS+.


I don't think being able to write to /dev/cdrom is a significant security risk. However, manually changing that doesn't assure that the process that changed the permissions before won't run again and undo your change. Until you can identify that process and determine if you can easily modify that I think you have already hit on the best answer.

Mark
2007-10-12 12:59:11
I thought K3b had a built in function to run as root the first time you use it and it will fix all permission issues.
Juliet Kemp
2007-10-16 05:43:28
Mark - it does have some mechanism of this sort, but if things change after you install it & have already run it, this is less useful.