Debian Bug report logs - #196116
suid cdrecord drops root privileges before running privileged syscalls

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Roberto Lumbreras <rover-bugs@lumbreras.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: suid cdrecord drops root privileges before running privileged syscalls

Date: Wed, 04 Jun 2003 21:15:56 +0200

Package: cdrecord
Version: 4:2.0+a14-1
Severity: normal


When running cdrecord (suid root) as user, it displays this message:

cdrecord: Operation not permitted. WARNING: Cannot set RR-scheduler
cdrecord: Permission denied. WARNING: Cannot set priority using setpriority().
cdrecord: WARNING: This causes a high risk for buffer underruns.

is cdrecord dropping root privileges before running privileged syscalls?

-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux lobo 2.4.20 #1 dom dic 22 01:42:33 CET 2002 i686
Locale: LANG=es_ES@euro, LC_CTYPE=es_ES@euro (ignored: LC_ALL set)

Versions of packages cdrecord depends on:
ii  debconf                       1.2.38     Debian configuration management sy
ii  libc6                         2.3.1-17   GNU C Library: Shared libraries an
ii  makedev                       2.3.1-62   Creates device files in /dev.

-- debconf information:
* cdrecord/MAKEDEV: false
* cdrecord/MAKEDEVNEW: true
* cdrecord/do_it_yourself: 
* cdrecord/SUID_bit: true

Message #10 received at 196116-close@bugs.debian.org (full text, mbox, reply):

From: Eduard Bloch <blade@debian.org>

To: 196116-close@bugs.debian.org

Subject: Bug#196116: fixed in cdrtools 4:2.0+a16-2

Date: Tue, 08 Jul 2003 13:17:11 -0400

We believe that the bug you reported is fixed in the latest version of
cdrtools, which is due to be installed in the Debian FTP archive:

cdda2wav_2.0+a16-2_i386.deb
  to pool/main/c/cdrtools/cdda2wav_2.0+a16-2_i386.deb
cdrecord_2.0+a16-2_i386.deb
  to pool/main/c/cdrtools/cdrecord_2.0+a16-2_i386.deb
cdrtools_2.0+a16-2.diff.gz
  to pool/main/c/cdrtools/cdrtools_2.0+a16-2.diff.gz
cdrtools_2.0+a16-2.dsc
  to pool/main/c/cdrtools/cdrtools_2.0+a16-2.dsc
mkisofs_2.0+a16-2_i386.deb
  to pool/main/c/cdrtools/mkisofs_2.0+a16-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 196116@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Eduard Bloch <blade@debian.org> (supplier of updated cdrtools package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 08 Jul 2003 18:57:49 +0200
Source: cdrtools
Binary: cdda2wav mkisofs cdrecord
Architecture: source i386
Version: 4:2.0+a16-2
Distribution: unstable
Urgency: low
Maintainer: Joerg Jaspert <joerg@debian.org>
Changed-By: Eduard Bloch <blade@debian.org>
Description: 
 cdda2wav   - Creates WAV files from audio CDs
 cdrecord   - A command line CD writing tool
 mkisofs    - Creates ISO-9660 CD-ROM filesystem images
Closes: 196116 199498 199773 200375
Changes: 
 cdrtools (4:2.0+a16-2) unstable; urgency=low
 .
   * update DVD patch from
     http://people.mandrakesoft.com/~warly/files/cdrtools/ (thanks to Sven
     Gohlke for the hint.) (AM)
   * fixed in previous upload: loosing suid permissions when compiled with
     -DUSE_USGSHM (Closes: #196116) (AM)
   * Fix broken cdrecord statoverrides inherited from xcdroast
     (Closes: #199498, #199773, #200375) (AM, EB)
   * Copy existing statoverrides from the cdrecord-wrapper script to the new
     executables (EB)
Files: 
 7ffdc4a6559c356eea6cc44c6da146ea 719 otherosfs optional cdrtools_2.0+a16-2.dsc
 81fa75e22bd47ad7da6ab108b9aa75c2 78408 otherosfs optional cdrtools_2.0+a16-2.diff.gz
 90ac6b44670cb4e4432512639b029fde 664136 otherosfs optional cdrecord_2.0+a16-2_i386.deb
 ddabd05d95060d67be847c29ed373bb3 307328 otherosfs optional mkisofs_2.0+a16-2_i386.deb
 f3635b48b1d25fb35af8f888f3cd43df 158192 sound optional cdda2wav_2.0+a16-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/CvsG4QZIHu3wCMURAhgLAJ4zZo7+lyvDx99O/k/c/nw1oWY1KwCfT7zg
GPyA6p0p11Gas+FZ/vIYhZc=
=Mhep
-----END PGP SIGNATURE-----

Message #15 received at 196116@bugs.debian.org (full text, mbox, reply):

From: "Nikita V. Youshchenko" <yoush@cs.msu.su>

To: Debian Bug Tracking System <196116@bugs.debian.org>

Subject: cdrecord: Seems this is still not fixed ...

Date: Fri, 11 Jul 2003 11:54:48 +0400

Package: cdrecord
Version: 4:2.0+a16-2
Followup-For: Bug #196116

Unfortunately, the problem is still there in the current cdrecord
package.

...
cdrecord.mmap: Operation not permitted. WARNING: Cannot set RR-scheduler
cdrecord.mmap: Permission denied. WARNING: Cannot set priority using setpriority().
cdrecord.mmap: WARNING: This causes a high risk for buffer underruns.
...

> ls -l /usr/bin/cdrecord*
-rwxr-xr-x    1 root     root          142 2003-07-08 21:08 /usr/bin/cdrecord*
-rws--x--x    1 root     cdrom      310060 2003-07-08 21:08 /usr/bin/cdrecord.mmap*
-rws--x--x    1 root     cdrom      310476 2003-07-08 21:08 /usr/bin/cdrecord.shm*
> dpkg-statoverride --list | grep cdrecord
stripping trailing /
root cdrom 4711 /usr/bin/cdrecord.mmap
root cdrom 4711 /usr/bin/cdrecord.shm



-- System Information:
Debian Release: 3.0
Architecture: i386
Kernel: Linux zigzag 2.4.21 #1 Втр Июл 8 13:33:13 MSD 2003 i686
Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R

Versions of packages cdrecord depends on:
ii  debconf                       1.2.35     Debian configuration management sy
ii  libc6                         2.3.1-17   GNU C Library: Shared libraries an
ii  makedev                       2.3.1-62   Creates device files in /dev.

-- debconf information:
* cdrecord/SUID_bit: true
  cdrecord/MAKEDEV: true
  cdrecord/MAKEDEVNEW: true
  cdrecord/do_it_yourself: 

Message #22 received at 196116@bugs.debian.org (full text, mbox, reply):

From: Andreas Metzler <ametzler@logic.univie.ac.at>

To: 196116@bugs.debian.org

Subject: Re: cdrecord: Seems this is still not fixed ...

Date: Fri, 11 Jul 2003 11:51:13 +0200

On Fri, Jul 11, 2003 at 11:54:48AM +0400, Nikita V. Youshchenko wrote:
> cdrecord.mmap: Operation not permitted. WARNING: Cannot set RR-scheduler
> cdrecord.mmap: Permission denied. WARNING: Cannot set priority using setpriority().
> cdrecord.mmap: WARNING: This causes a high risk for buffer underruns.
> ...

> > ls -l /usr/bin/cdrecord*
> -rwxr-xr-x    1 root     root          142 2003-07-08 21:08 /usr/bin/cdrecord*
> -rws--x--x    1 root     cdrom      310060 2003-07-08 21:08 /usr/bin/cdrecord.mmap*
> -rws--x--x    1 root     cdrom      310476 2003-07-08 21:08 /usr/bin/cdrecord.shm*
[...]

Hello,
I am little bit at loss. Just checking for the obvious:
- Are you running some special kernel (2.5, se-linux, gr-security)?
- Is /usr mounted nosuid (check /proc/mounts)?

I've seen to similar (unresolved) reports in German usenet (both
non-debian)
<dcoulm.m3smqm3owt.fsf@beldin.mt743742.dialup.rwth-aachen.de> and
<slrnbgt0ng.oi7.egerlach@rex2.linuxburg.de>.
            cu andreas

Message #27 received at 196116@bugs.debian.org (full text, mbox, reply):

From: "Nikita V. Youshchenko" <yoush@cs.msu.su>

To: Andreas Metzler <ametzler@logic.univie.ac.at>, 196116@bugs.debian.org

Subject: Re: Bug#196116: cdrecord: Seems this is still not fixed ...

Date: Fri, 11 Jul 2003 14:27:48 +0400

[Message part 1 (text/plain, inline)]

> On Fri, Jul 11, 2003 at 11:54:48AM +0400, Nikita V. Youshchenko wrote:
> > cdrecord.mmap: Operation not permitted. WARNING: Cannot set
> > RR-scheduler cdrecord.mmap: Permission denied. WARNING: Cannot set
> > priority using setpriority(). cdrecord.mmap: WARNING: This causes a
> > high risk for buffer underruns. ...
> >
> > > ls -l /usr/bin/cdrecord*
> >
> > -rwxr-xr-x    1 root     root          142 2003-07-08 21:08
> > /usr/bin/cdrecord* -rws--x--x    1 root     cdrom      310060
> > 2003-07-08 21:08 /usr/bin/cdrecord.mmap* -rws--x--x    1 root    
> > cdrom      310476 2003-07-08 21:08 /usr/bin/cdrecord.shm*
>
> [...]
>
> Hello,
> I am little bit at loss. Just checking for the obvious:
> - Are you running some special kernel (2.5, se-linux, gr-security)?
> - Is /usr mounted nosuid (check /proc/mounts)?

No. It is official 2.4.21, and /usr is not nosuid (in fact, nosuid /usr 
will break sudo and other tools).

I've strace'd cdrecord.mmap. The result is attached. Search for 
sched_setscheduler() there. Seems that cdrecord forks a child, and the 
child fails to perform a priveledged syscall. Does forked process inherit 
euid?

[log.bz2 (application/x-bzip2, attachment)]

Message #32 received at 196116@bugs.debian.org (full text, mbox, reply):

From: "Nikita V. Youshchenko" <yoush@cs.msu.su>

To: Andreas Metzler <ametzler@logic.univie.ac.at>, 196116@bugs.debian.org

Subject: Re: Bug#196116: cdrecord: Seems this is still not fixed ...

Date: Fri, 11 Jul 2003 15:42:44 +0400

So the problem is that:

- in main(), cdrecord.c:441, root priveledges are dropped;
- much later, from main(), cdrecord.c:932, init_fao() is called,
- in init_fao(), fifo.c, a child is forked, and an attempt is made to 
change set realtime priority for the child. Since root priveledjes are 
already dropped, this fails.

I'm not familar enough with cdrecord core to fix this. Sorry.

Message #37 received at 196116@bugs.debian.org (full text, mbox, reply):

From: Andreas Metzler <ametzler@downhill.at.eu.org>

To: 196116@bugs.debian.org

Subject: Re: Bug#196116: cdrecord: Seems this is still not fixed ...

Date: Sat, 12 Jul 2003 16:20:04 +0200

On Fri, Jul 11, 2003 at 03:42:44PM +0400, Nikita V. Youshchenko wrote:
> So the problem is that:
> 
> - in main(), cdrecord.c:441, root priveledges are dropped;
> - much later, from main(), cdrecord.c:932, init_fao() is called,
> - in init_fao(), fifo.c, a child is forked, and an attempt is made to 
> change set realtime priority for the child. Since root priveledjes are 
> already dropped, this fails.
> 
> I'm not familar enough with cdrecord core to fix this. Sorry.

Hello,
Thanks for your analysis, I took it and forwarded it to the (German
speaking) newsgroup de.comp.hardware.laufwerke.brenner, where
cdrecord's author is active. He has provided an answer in
<beoso2$110$1@news.cs.tu-berlin.de> (it starts with a rant about Suse,
the intersesting part for you is near the end of the article, I hope my
translation is not too bad.

Crude translation:
|-------------------
| You can safely ignore this message.
| 
| Recently cdrecord was changed to limit the time runnig as root, and
| the error message is triggered by the FIFO-Backgroundprocess which is
| running without root-privileges. This process is trying to *lower* its
| priority from the maximum priority that it inherited and fails because
| of missing priviledges.
| 
| Sadly because of an design error in POSIX, there is no straightforward
| fix for this, cdrecord will be changed to be able to not only drop root
| privileges but also to get them back. Doing this differs greatly
| between different systems and checking for the right method using
| autoconf will require /some/ work.
|-------------------
         hth, cu andreas

Message #42 received at 196116@bugs.debian.org (full text, mbox, reply):

From: "Nikita V. Youshchenko" <yoush@cs.msu.su>

To: Andreas Metzler <ametzler@downhill.at.eu.org>, 196116@bugs.debian.org

Subject: Re: Bug#196116: cdrecord: Seems this is still not fixed ...

Date: Sat, 12 Jul 2003 22:59:39 +0400

> > - in main(), cdrecord.c:441, root priveledges are dropped;
> > - much later, from main(), cdrecord.c:932, init_fao() is called,
> > - in init_fao(), fifo.c, a child is forked, and an attempt is made to
> > change set realtime priority for the child. Since root priveledjes
> > are already dropped, this fails.
>
> | You can safely ignore this message.
> |
> | Recently cdrecord was changed to limit the time runnig as root, and
> | the error message is triggered by the FIFO-Backgroundprocess which is
> | running without root-privileges. This process is trying to *lower*
> | its priority from the maximum priority that it inherited and fails
> | because of missing priviledges.

Hmmm.

I am getting random write I/O errors while using cdrecord with a Toshiba 
DVD/CDRW drive (Vendor: TOSHIBA  Model: DVD-ROM SD-R1312 Rev: 1011 Type:   
CD-ROM ANSI SCSI revision: 02).
The errors are not very often and are not deterministic (e.g. if cdrw disk 
is being written, the problem almost always may be fixed by cleaning and 
rewriting; but it can not be fixed for cdr disk for obvious reason).
It *seems* that disabling DMA on the drive makes the errors less frequent. 
But it does not avoid them - at least once I got such an error with DMA 
disabled.

But there was a time without errors. Now it is almost impossible to 
remember when it happened first. And I don't know what is wrong - IDE 
controller, drive, or cdrecord software.

I thought that the priority problem discussed in this bug could cause 
these errors - cdrecord could not respond fast enogh (it is running on 
almost always busy LTSP-like server), so the result. 

Maybe something is still wrong with the priority? Can SCHED_RR task be 
pre-empted by another SCHED_RR task with the same priority? Can't it 
happen that the "FIFO background process" fails to lower it's priority 
and then main recording process can't get to CPU when needed because of 
that process?

And if everything is OK with priorities, what else can cause the write 
errors? Are there any diagnostic tools available? Is there any way to 
find out what is wrong without buying new hardware?

Message #47 received at 196116@bugs.debian.org (full text, mbox, reply):

From: Joerg Schilling <schilling@fokus.fraunhofer.de>

To: 196116@bugs.debian.org

Subject: This bug has been fixed more than a month ago

Date: Sat, 17 Jan 2004 13:02:49 +0100 (CET)

It should be closed on Debian.



Jörg

-- 
 EMail:joerg@schily.isdn.cs.tu-berlin.de (home) Jörg Schilling D-13353 Berlin
       js@cs.tu-berlin.de		(uni)  If you don't have iso-8859-1
       schilling@fokus.fraunhofer.de	(work) chars I am J"org Schilling
 URL:  http://www.fokus.fraunhofer.de/usr/schilling ftp://ftp.berlios.de/pub/schily

Message #52 received at 196116-done@bugs.debian.org (full text, mbox, reply):

From: Andreas Metzler <ametzler@downhill.at.eu.org>

To: Joerg Schilling <schilling@fokus.fraunhofer.de>, 196116-done@bugs.debian.org

Subject: Re: Bug#196116: This bug has been fixed more than a month ago

Date: Sat, 17 Jan 2004 13:37:46 +0100

On Sat, Jan 17, 2004 at 01:02:49PM +0100, Joerg Schilling wrote:
> It should be closed on Debian.

Thanks for the hint, closing with this message.

This bug has been fixed in 2.01a21:
| -   Hack to work around a POSIX real time priotity design bug that
|     causes us to become root again on e.g. Linux in order to be able
|     to lower the priority of the FIFO background process.
                 cu andreas

Send a report that this bug log contains spam.