Bug 179862

I thought I already fixed this bug... do you use the latest rawhide version of
cdrecord???

Rawhide, updated as of 06 Feb. 2006

rpm -q cdrecord
cdrecord-2.01.01.0.a03-2

What did you try? Burn or blank? DVD or CDR?

blanking CD-RW (cdrecord -dev=ATA:1,0,0 -blank=fast)
cdrecord: Operation not permitted. Cannot send SCSI cmd via ioctl

blanking CD-RW (cdrecord -dev=ATA:1,0,0 -blank=all)
cdrecord: Operation not permitted. Cannot send SCSI cmd via ioctl

burning .iso to CDR (cdrecord -dev=ATA:1,0,0 -driveropts=burnfree -data
anonymos-shmoo.iso)
cdrecord: Operation not permitted. Cannot send SCSI cmd via ioctl

Trying to burn the FC4 DVD image to a DVD-RW disc with information on it yeilds
nautilus-cd-burner response that I should insert a rewritable DVD disc or a DVDR
with 2.4gb of space - however this disc contains the FC4 DVD data. From cdrecord
in cli blanking and burning works though in this case.

Do you really own the device?

$ ls -l /dev/hd?

Yes I do

brw------- 1 david disk 22, 0  6 feb 15:48 /dev/hdc

could you please install ltrace and do:

$ ltrace cdrecord -dev=ATA:1,0,0 -blank=fast 2>&1 | tee cdrecord-ltrace.txt

and attach cdrecord-ltrace.txt

Created attachment 124263 [details]
cdrecord ltrace output

hmm.... output of:

$ cdrecord -dev=ATA:1,0,0 debug=1000 -blank=fast -VVVVVVVVVVVVVV -vvvvvvvvvv

Created attachment 124267 [details]
output cdrecord -dev=ATA:1,0,0 debug=1000 -blank=fast -VVVVVVVVVVVVVV -vvvvvvvvvv

Kernel does not allow the user to send SG_IO commands for Plextor drives.

*** Bug 179861 has been marked as a duplicate of this bug. ***

unlikely to be fixed by release time, and not blocker material (which is "cant
install / can't update" right now).

This needs work upstream.  The problem iirc is that we can't do the 'allowed
safe commands' on a per-device basis right now.

This also happens to real SCSI burner (my TEAC CD-R55S).

Making image from nautilus' CD/DVD creator (which can't burn it by itself) and
using `cdrecord -v image.iso` as root correctly writes to the disk. Thus my try
to chmod u+s `which cdrecord`, but then I get:
Cdrecord-Clone 2.01.01a03-dvd (i686-pc-linux-gnu) Copyright (C) 1995-2005 JÄÅrg
Schilling
NOTE: (blah blah)
TOC Type: 1 = CD-ROM
cdrecord: Resource temporarily unavailable. Cannot get mmap for 4198400 Bytes on
/dev/zero.

IIRC, setuid bit on cdrecord doesn't work since kernel 2.6.7 or 2.6.9 anyhow,
besides it can be considered insecure (what if an evil iso file could crash
cdrecord?) so this doesn't bother me. Still, a normal user would just go on and
log in to GNOME as root (if it's possible nowadays) to use
nautilus-cd-burner/K3b/xcdroast. This situation encourages, or even forces some
users to open their systems to all kinds of dangers, so is this really not
blocker material?

All this work is being put in SELinux and security, but I do su - to backup my
data and someone else may even log in as root possibly only to... read files
downloaded from the Internet (like isos).

I realize in reality the average user won't open the system to attacks (it's not
that obvious that root can burn CD-s when I can't), he/she'll just think Fedora
5 can't burn CD's (which is partly right) (last Fedora version I remember being
able to use my burner without root was 1 or 2 before some kernel update).

Since my burner is the only SCSI device in my system, using external PCI
controller, which has separate device driver, can the safe or unsafe commands be
allowed per-driver/module for folks like me? Or can cdrecord accept setuid (this
would still require some kernel change if the situation hasn't changed since FC2)?

While using Fedora Core 4, I had no problem buring CDs onto my Plextor SCSI
CD-RW drive as a normal user. After I upgraded to Fedora Core 5, I could no
longer burn CDs as a normal user. I have to make CDs as root What changed?

I am having the same problem with a Plextor PX-716A and 2.6.16-1.2080_FC5, which
worked fine under FC4 after we got past kernel 2.6.9. I assume that this is good
old SG_IO issue again. I tried upgrading the firmware on my Plextor to the
latest firmware, this has no effect.

I also have a Dell latitude D510 (DVD/cdrw), where cdrecord works like a charm
for non root users.

I do have a work around though for my Plextor. I have installed cdrecord from my
FC4 installation onto FC5. The cdrecord erase test can now be ran as a normal user. 

So what has changed in cdrecord between FC4 and FC5? 

same problem here:
I have to burners installed
1,0,0   100) 'PLEXTOR ' 'DVDR   PX-755A  ' '1.02' Removable CD-ROM
1,1,0   101) 'LITE-ON ' 'LTR-52246S      ' '6S0F' Removable CD-ROM
the second one works fine the first one only as root.
cdrecord: Operation not permitted. Cannot send SCSI cmd via ioctl 

downgraded to FC4 cdrecord an it seems to work fine.

Compareable here:
        1,0,0   100) 'PLEXTOR ' 'CD-R   PX-W2410A' '1.04' Removable CD-ROM
does not work, while
        1,1,0   101) 'TEAC    ' 'DV-W50D         ' '1.06' Removable CD-ROM
works fine.

With "cdrtools-2.01.01a07.tar.bz2" from ftp.berlios.de
(compiled and made suid root) both are working fine (but of cause no dvd support).

Same problem with NEC 3500A. It was working fine just 3 days ago.

Current version of cdrdao is cdrdao-1.2.1-1

I tried to burn cue/bin image on blank 700MB write once disk and it gave me same
error.

  I own PLEXTOR PX-W5224A and have same problem with cdrecord and every program
using it as backend (nautilus-burner, gnomebaker, ...).

  While trying to work the problem out I noticed something strange. When
cdrecord is using ATA transport it doesn't work when invoked by user, but when
ATAPI transport is specified cdrecord works when invoked by user.

  Here is how that look like:
  
  1. ATA transport

[juga@onosendai ~]$ cdrecord dev=ATA:1,0,0 -checkdrive
Cdrecord-Clone 2.01.01a03-dvd (i686-pc-linux-gnu) Copyright (C) 1995-2005 Jörg
Schilling
NOTE: This version contains the OSS DVD extensions for cdrtools and thus may
      have bugs related to DVD issues that are not present in the original
      cdrtools. Please send bug reports or support requests to
      http://bugzilla.redhat.com/bugzilla The original cdrtools author should
      not be bothered with problems in this version.
scsidev: '/dev/hdc'
devname: '/dev/hdc'
scsibus: -2 target: -2 lun: -2
Linux sg driver version: 3.5.27
Using libscg version 'schily-0.8'.
cdrecord: Warning: using inofficial libscg transport code version (schily - Red
Hat-scsi-linux-sg.c-1.85-RH '@(#)scsi-linux-sg.c      1.85 05/05/16 Copyright
1997 J. Schilling').
Device type    : Removable CD-ROM
Version        : 0
Response Format: 1
Vendor_info    : 'PLEXTOR '
Identifikation : 'CD-R   PX-W5224A'
Revision       : '1.03'
Device seems to be: Generic mmc CD-RW.
cdrecord: Operation not permitted. Cannot send SCSI cmd via ioctl


  2. ATAPI transport

[juga@onosendai ~]$ cdrecord dev=ATAPI:0,0,0 -checkdrive
Cdrecord-Clone 2.01.01a03-dvd (i686-pc-linux-gnu) Copyright (C) 1995-2005 Jörg
Schilling
NOTE: This version contains the OSS DVD extensions for cdrtools and thus may
      have bugs related to DVD issues that are not present in the original
      cdrtools. Please send bug reports or support requests to
      http://bugzilla.redhat.com/bugzilla The original cdrtools author should
      not be bothered with problems in this version.
scsidev: 'ATAPI:0,0,0'
devname: 'ATAPI'
scsibus: 0 target: 0 lun: 0
Use of ATA is preferred over ATAPI.
Warning: Using ATA Packet interface.
Warning: The related Linux kernel interface code seems to be unmaintained.
Warning: There is absolutely NO DMA, operations thus are slow.
Using libscg version 'schily-0.8'.
Device type    : Removable CD-ROM
Version        : 0
Response Format: 1
Vendor_info    : 'PLEXTOR '
Identifikation : 'CD-R   PX-W5224A'
Revision       : '1.03'
Device seems to be: Generic mmc CD-RW.
Using generic SCSI-3/mmc   CD-R/CD-RW driver (mmc_cdr).
Driver flags   : MMC-3 SWABAUDIO BURNFREE
Supported modes: TAO PACKET SAO SAO/R96P SAO/R96R RAW/R16 RAW/R96P RAW/R96R

  Also you can notice the warning sign:

Warning: Using ATA Packet interface.
Warning: The related Linux kernel interface code seems to be unmaintained.
Warning: There is absolutely NO DMA, operations thus are slow.

Maybe this will help solving this really irritating problem!

I rolled back to the previous version of cdrdao 1.1.9-9 and now I can burn CDs
with my SCSI PlexWriter CDRW. The newer version of cdrdao 1.2.1-1 is the one
giving the above errors.

Jeff Peterson

(In reply to comment #22)
> I rolled back to the previous version of cdrdao 1.1.9-9 and now I can burn CDs
> with my SCSI PlexWriter CDRW. The newer version of cdrdao 1.2.1-1 is the one
> giving the above errors.
> 
> Jeff Peterson

This is untrue. Rolling cdrdao back has no effect at all on the problem - I'm
pretty sure it's a kernel issue.

Is there any progress resolving this?

Thanks.

Whoops, count me among the people nailed by this. I've just moved my homebrew (admittedly overly 
baroque) music jukebox system from an old RedHat 7.1 system to a spanking new Fedora Core 5 system, 
and I can no longer import nor burn CDs, because that requires a non-root Java process to be able to 
operate cdrdao and cdrecord.

I hope there is a fix on the horizon!

Me too: Plextor 716A
What is the difference between cdrecord 2.01.01.0.a03-3 and 2.01.1-9 (the old one)

(In reply to comment #25)
> Me too: Plextor 716A
BTW, in contrast to cdrecord, growisofs works, also with nautilus-cd-burner.
However the choice of writing speeds is strange:
31x (the lowest one)
47x
62x
94x
125x
These cannot be correct of course. The speed flag is passed on to
growisofs, so it probably uses the highest speed available, which
is problematic.

Same symptoms with a PlexWriter CD-R PX-W4012A on FC5 (fully updated.)
Kernel is kernel-2.6.16-1.2122_FC5.

I am having trouble burning cds to my plextor cd-r px-w4824a

Gnomebaker produces the error messages below, when I try.

Thanks in advance.


cdrecord: No write mode specified.
cdrecord: Asuming -tao mode.
cdrecord: Future versions of cdrecord may have different drive dependent defaults.
cdrecord: Continuing in 5 seconds...
cdrecord: Cannot allocate memory. WARNING: Cannot do mlockall(2).
cdrecord: WARNING: This causes a high risk for buffer underruns.
cdrecord: Operation not permitted. WARNING: Cannot set RR-scheduler
cdrecord: Permission denied. WARNING: Cannot set priority using setpriority().
cdrecord: WARNING: This causes a high risk for buffer underruns.
scsidev: '/dev/hdd'
devname: '/dev/hdd'
scsibus: -2 target: -2 lun: -2
Linux sg driver version: 3.5.27
cdrecord: Warning: using inofficial libscg transport code version (schily - Red
Hat-scsi-linux-sg.c-1.85-RH '@(#)scsi-linux-sg.c 1.85 05/05/16 Copyright 1997 J.
Schilling').
SCSI buffer size: 64512
cdrecord: Operation not permitted. Cannot send SCSI cmd via ioctl
Cdrecord-Clone 2.01.01a03-dvd (i686-pc-linux-gnu) Copyright (C) 1995-2005 Jörg
Schilling
NOTE: This version contains the OSS DVD extensions for cdrtools and thus may
have bugs related to DVD issues that are not present in the original
cdrtools. Please send bug reports or support requests to
http://bugzilla.redhat.com/bugzilla The original cdrtools author should
not be bothered with problems in this version.
TOC Type: 3 = CD-ROM XA mode 2
Using libscg version 'schily-0.8'.
atapi: 1
Device type : Removable CD-ROM
Version : 0
Response Format: 1
Vendor_info : 'PLEXTOR '
Identifikation : 'CD-R PX-W4824A'
Revision : '1.01'
Device seems to be: Generic mmc CD-RW.
Current: 0x0009
Profile: 0x0008
Profile: 0x0009 (current)
Profile: 0x000A

Just to save other people testing this, I have just re-tested with Kernel
2.6.17-1.2139_FC5 and a Plextor PX-716A. The problem still exists.

    FC4 cdrecord 2.01-dvd works with Plextor PX-716A

    FC5 cdrecord 2.01.01a03-dvd - doesn't work

looks like I will be using the old FC4 version of cdrecord for a while longer
yet ;-)

Shipping FC5 with this bug was embarrasing, shipping FC6 with it would be
downright shameful - can we get a pledge going to get this fixed?

I'll start out with offering 100USD for this to be fixed before FC6 Final as
it's holding me back from advocating GNU/Linux to anyone who shelled out for a
decent quality burner, not to mention holding me back from burning using any
kind of sane approach.

I'll also donate any amount of time needed for testing potential fixes.

Current kernel 2.6.17-1.2139_FC5 + cdrecord-2.01.01.0.a10-0.FC5.1 from
updates-testing still give me the same error for my old TEAC CD-R55S (which
isn't decent quality for David, but it does the job) as normal user.

But suddenly, chmod u+s /usr/bin/cdrecord made it work! (Current FC5 version
gave me the /dev/zero error message).

So it's fixed for me in updates-testing for FC5. It seems 5.90 aka 6test1 has
the same version onboard.

Other users may be scared of suid cdrecord. Can't the "allowed safe commands" be
set per-program by selinux? cdrecord won't try to record to hard drives anyhow,
right?

Running cdrecord suid would not be considered a viable solution I think, maybe
something like switching to libburn (and the cdrecord compatible wrapper for
that) would work better longterm. 
For now I think we'll have to wait for DaveJ or a similar guru to actually
propose a solution that would work for FC6.

the solution for looks simple just downgrade and report it upstream.

There is no upstream, read:
"The original cdrtools author should
not be bothered with problems in this version."
But try the version from updates-testing - it's based on new cdrecord, which
includes DVD recording without patches, so I guess it's closer to upstream now
and partly fixed the issue for me (using suid, but I'm brave).

Reassigning to -devel 

SCSI commands is simply the wrong place to solve the issue.  This is a polict
issue.  What works is a fix with sudo, and in the %post of cdrecord:

NONCE=`grep '/usr/bin/cdrecord' /etc/sudoers | awk '{print $1}'`
[ "x$NONCE" = "x" ] && \
echo "ALL     ALL = NOPASSWD: /usr/bin/cdrecord" >> /etc/sudoers

and a Requires: sudo

in the .spec file.

One could get fancy, and tie it into an active console login only. of course,
but if a person has a shell account on a box, any manner of local escalation
attacks are present.

david -- send the $100 to the FSF please

I prefer making it setuid root - not only it doesn't require additional package
and doesn't do anything in %post, but can drop privileges as soon as it's
possible (and afair it does, or at least tries). Also works from guis with no
effort at all.

Now we want to make it work without becoming root at all.

Right. Sudo is not an option, nor is requiring it to be setuid. I need to be able to run this as a user 
command because an unprivileged tomcat process needs to be able to operate these commands for my 
elaborate jukebox system to work properly.

They used to work, they need to work again. Don't make me go back to RedHat 7!

As mentioned earlier in this bug (comment #32), any solution suid, sudo or
similar is not a solution to this problem as it only brings back the security
issue we were trying to fix.

DaveJ has yet to comment on the solution he would like to see, I would also like
everyone here to add to the pledge rather than leaving it at a the 100 USD I can
afford to spend, we should all pool together for a solution that is acceptable
for inclusion in Fedora Core 6. As mentioned that excludes all manners of
running as root, sorry.

Time is running out, Test 2 hits soonish and that leaves only precious little
time to make this work. Don't let FC ship another release that doesn't burn CDs,
it's a regression and it is preventing a lot of users from doing what is to be
considered an every day task.

we should capture the commands that are required and patch the kernel to allow
them; this is somehow a hack but its better than no burning and it would be more
secure than sbit (and other root hacks)

Does the cdrecord downgrade in the development tree change anything?

Based upon a sample of one test to a CDRW - It works! :-)

I had actually replaced my Plextor with a different model just so that I could
burn some disks. Any how getting back to this thread. I installed FC5 + all
updates for 26 Aug on my old test pc. Installed Plextor PX-716 drive, as
expected it didn't work as a non root user.

Installed glibc + glibc-common + cdrecord-2.01-10 from development. Now normal
users can burn CDROMs again (I will test DVD writing later). I can attached
cdrecord debug outputs if they are required.

This is excellent news and I hope this makes FC6

I can now also confirm that DVD writing also works with cdrecord-2.01-10

Just a quick "me-too". It works for me! Thanks.

Ok guys. Judging from the above comments it appears that the downgrade to solve
the GPL/CDDL combination mess in later versions of cdrecord appears to fix this
problem as a nice side effect just as I thought. 

We have a ongoing discussion on linux scsi list to solve the general issue but
that shouldnt affect users now. Thank you for all the testing and feedback. I am
closing this bug now.