Bug 1580021 - wodim missing u+s will prevent usage at least by k3b
Summary: wodim missing u+s will prevent usage at least by k3b
Keywords:
Status: CLOSED DUPLICATE of bug 1583845
Alias: None
Product: Fedora
Classification: Fedora
Component: cdrkit
Version: 28
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Pavel Cahyna
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-19 07:41 UTC by Peter Bieringer
Modified: 2019-06-05 20:19 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-05-04 06:06:09 UTC
Type: Bug


Attachments (Terms of Use)

Description Peter Bieringer 2018-05-19 07:41:32 UTC
Description of problem:
k3b can't be used anymore in FC28 to burn CDs without tweaking wodim's binary permission to u+s


Version-Release number of selected component (if applicable):
k3b-17.12.3-1.fc28.x86_64
wodim-1.1.11-38.fc28.x86_64


How reproducible:
Always


Steps to Reproduce:
1. upgrade to FC28
2. start k3b


Settings -> Configure -> Devices

In order to give K3b full access to the writer device the current user needs be added to a group cdrom.
The Permission helper that could do this for you was not enabled during build.
Please rebuild the package with the Permission helper enabled or contact your distribution.


3. add user to group cdrom

4. restart k3b -> message disappears

5. try to burn a CD

Actual results:

cdrecord permission problem CD can't be burned

Debug output:

cdrecord
-----------------------
/usr/bin/wodim: Operation not permitted. Warning: Cannot raise RLIMIT_MEMLOCK limits.
scsidev: '/dev/sr0'
devname: '/dev/sr0'
scsibus: -2 target: -2 lun: -2
/usr/bin/wodim: Cannot allocate memory. 
Cannot open SCSI driver!
For possible targets try 'wodim --devices' or 'wodim -scanbus'.
For possible transport specifiers try 'wodim dev=help'.
For IDE/ATAPI devices configuration, see the file README.ATAPI.setup from
the wodim documentation.
TOC Type: 1 = CD-ROM
Expected results:


Additional info:

after

chmod u+s /usr/bin/wodim 

it is working again (but this is somehow dangerous)

Strangewise, reduction to 

chmod o-rwx /usr/bin/wodim
chgrp cdrom /usr/bin/wodim

is also not working, looks like the group membership "cdrom" isn't really used.

Reproduced on 2 systems

Comment 1 Julien HENRY 2018-05-24 11:44:40 UTC
I can confirm the issue, and the workaround is working fine. Thanks!

Comment 2 Manuel Reinhardt 2018-09-10 13:45:54 UTC
I can confirm this issue as well. Additionally I had to add my user to the cdrom group (where it should have been by default I think?).

Comment 3 Albert Flügel 2018-10-26 08:52:48 UTC
Please see my comment #5 to Bug 1583845 for an analysis of the problem.
https://bugzilla.redhat.com/show_bug.cgi?id=1583845#c5

Comment 4 Jörg Schilling 2018-11-14 14:23:30 UTC
wodim only exists because a hostile and uninformed Debian packetizer believed that writing optical media does not need special privilleges while starting personal attacks against me in May 2004.

His claim never has been true for any platform and this never has been true for Linux.

Since the main method used to "make the claim to apparently work" was to remove security checking code, I cannot tell whether wodim is a security risk when installed sid root.

The original software always was and is autited for security in this mode and not a risk.

In addition, cdrecord supports to work with fine grained privielleges on Solaris since January 2006 and after Linux added similar support in 2013, the fine grained privilege support was enhanced to Linux.

I recommend to use recent original software instead of the long dead code that was only seen as a hostile social attack froM Debian.

Check the most recent orignal code as part of the schilytools at:

http://sourceforge.net/projects/schilytools/files/

Comment 5 Knud Christiansen 2018-12-11 21:43:32 UTC
For what ever it tells:
In F29 k3b works as expected just out of the box

Comment 6 Chance Callahan 2019-02-15 14:30:58 UTC
Adding on to this, on F29 Brasero and K3B are bugging out unless I chmod that file as above, even if I am part of the cdrom group.

I'm attaching the relevant parts of my before log from Brasero, I don't have one handy for K3B.

BraseroWodim called brasero_job_set_current_action
BraseroWodim got varg:
	wodim
	-v
	dev=/dev/sr0
	speed=24
	driveropts=burnfree
	-dao
	fs=16m
	-audio
	-pad
	-useinfo
	-text
	/tmp/brasero_tmp_BT22WZ/cd_file_01.cdr
	/tmp/brasero_tmp_BT22WZ/cd_file_02.cdr
	/tmp/brasero_tmp_BT22WZ/cd_file_03.cdr
	/tmp/brasero_tmp_BT22WZ/cd_file_04.cdr
	/tmp/brasero_tmp_BT22WZ/cd_file_05.cdr
	/tmp/brasero_tmp_BT22WZ/cd_file_06.cdr
	/tmp/brasero_tmp_BT22WZ/cd_file_07.cdr
	/tmp/brasero_tmp_BT22WZ/cd_file_08.cdr
	/tmp/brasero_tmp_BT22WZ/cd_file_09.cdr
	/tmp/brasero_tmp_BT22WZ/cd_file_10.cdr
	/tmp/brasero_tmp_BT22WZ/cd_file_11.cdr
	/tmp/brasero_tmp_BT22WZ/cd_file_12.cdr
	/tmp/brasero_tmp_BT22WZ/cd_file_13.cdr
BraseroWodim Launching command
BraseroWodim called brasero_job_get_fd_out
BraseroWodim called brasero_job_get_fd_in
BraseroWodim called brasero_job_get_fd_out
BraseroWodim stderr: wodim: Operation not permitted. Warning: Cannot raise RLIMIT_MEMLOCK limits.
BraseroWodim called brasero_job_get_flags
BraseroWodim stdout: TOC Type: 0 = CD-DA
BraseroWodim stderr: wodim: Resource temporarily unavailable. Cannot get mmap for 16781312 Bytes on /dev/zero.
BraseroWodim called brasero_job_get_flags
BraseroWodim stdout: HUP
BraseroWodim stderr: HUP
BraseroWodim process finished with status 11
BraseroWodim called brasero_job_error
BraseroWodim finished with an error
BraseroWodim asked to stop because of an error
	error		= 0
	message	= "no message"
BraseroWodim stopping
Session error : unknown (brasero_burn_record brasero-burn.c:2859)

Comment 7 Albert Flügel 2019-02-24 12:49:03 UTC
My comment #3, analysis and workaround without setuid bits still hold. Please see https://bugzilla.redhat.com/show_bug.cgi?id=1583845#c5

Comment 8 Jörg Schilling 2019-02-25 14:24:15 UTC
The background is that wodim has been created in order to harm the original cdrtools.

The people from Debian removed all consistency checks that exist in the original software. This is why you see the behavior from above.

Background: 

before May 2004, Linux required root privileges to be able to open /dev/sg* with write permissions which was required to send any SCSI command.

Then a novice programmer (Douglas Gilbert) added ioctls without checking for permissions and introduced a big security problem.

Linus Torvalds in May 2004 did not fix that security problem but rather made an incompatible change to the /dev/sg interface.
This modification allows to send *some* SCSI commands without being root but fails to allow all needed SCSI commands for CD/DVD writing.

The Debian people behind the campaign against cdrtools miss the skills to understand this problem and created
a fork from cdrtools in May 2004, This fork is full of Debian specific bugs and never has been fixed since then.

The original cdrtools introduced a root-less method since Linux added support for fine grained privileges in 2013.
Note that the original code has been audited for safe suid root installation and for fine grained privs but
"wodim" only allows unverified suid root installation.

It is recommended to use the actively maintained original software instead of the Debian fake.

(In reply to Albert Flügel from comment #7)
> My comment #3, analysis and workaround without setuid bits still hold.
> Please see https://bugzilla.redhat.com/show_bug.cgi?id=1583845#c5

Comment 9 Ben Cotton 2019-05-02 19:21:06 UTC
This message is a reminder that Fedora 28 is nearing its end of life.
On 2019-May-28 Fedora will stop maintaining and issuing updates for
Fedora 28. It is Fedora's policy to close all bug reports from releases
that are no longer maintained. At that time this bug will be closed as
EOL if it remains open with a Fedora 'version' of '28'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 28 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 10 Ben Cotton 2019-05-02 19:22:26 UTC
This message is a reminder that Fedora 28 is nearing its end of life.
On 2019-May-28 Fedora will stop maintaining and issuing updates for
Fedora 28. It is Fedora's policy to close all bug reports from releases
that are no longer maintained. At that time this bug will be closed as
EOL if it remains open with a Fedora 'version' of '28'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 28 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 11 Peter Bieringer 2019-05-04 06:06:09 UTC
it looks like after upgrade to F30 no changes are required

Comment 12 Jörg Schilling 2019-05-04 07:24:03 UTC
Even if the newer version did install this fake program with the needed permissions, this is not
the solution for the general problem that is caused by the fact that "cdrkit" is full of other
bugs and completely unmaintained.

k3b was written for the original cdrtools software and not for the buggy "cdrkit" and
"cdrkit" was not created in order to solve a OSS problem but rather in order to attack the OSS
system, read the background:

In May 2004 - 15 years ago, some hostile people from Debian started with the original cdrtools source from that
time and created a fishy variant by adding approx. 100 bugs in total to all relevant programs (cdrecord, cdda2wav, 
readcd, mkisofs, ... see the Debian bug data base from that time that documents the bugs and the fact that they
never have been fixed.

Since these people from Debian also removed Copyright notices, the modified source from Debian is not legal 
for various reasons. In 2005, Debian started with a defamation campaign against cdrtools based on nothing but
libel and slander. This is of course illegal as well.

BTW: because of these bugs, the permission to use the original names for the programs in the Debian variant
has been withdrawn in August 2006 and this resulted in the rename of the programs in September 2006. An act
that later has been incorrectly called the "Creation of a fork" by Debian even though that beast exists since
May 2004 already (see the identical list of Debian specific bugs).

Since the end of 2004, no relevant modifications have been applied to that modified Debian source and in 
May 2007 all activities (except some typo fixes) finally stopped. There are rumors that the the main actor
did this all just in order to get visibility for better chances to get a job at "Nero" and has been forbidden
to continue with his attacks by his new boss after he got that job.


As a result, nearly all of the bugs that have been introduced in 2004 are still present and no will at Redhaẗ́s
side to fix that situation is visible. In special, given that 15 years passed meanwhile, there does not seem to
be any hope that this buggy cdrkit will ever be fixed - regardless of what Fedora version you are using.

At the same time, major development activities have been applied to the original source. Dozens of important
bugs (that affect the integrity of the created filesystems) have been fixed in mkisofs and all programs from
the suite more than doubled their features.

It may be important to know that all major sites that asked their legal department for help (e.g. Suse, Sun,
Oracle) ship the original cdrtools suite and that Redhat did never asked a lawyer for help. So the fact that
Redhat still does not ship the original software seems to be some sort of own defamation campaign. It would 
be interesting to see whether IBM is willing to support that lawless state of Redhat in the future.

There is a simple way to get rid of many bugs: toss cdrkit to where it belongs, into the junk yard and start
shipping the legal and much better original software that still gets frequent updates (see the schilytools
tarballs for verification that are published in an average bi-weekly frequency).

Note that there never has been any legal problem in the original sources. All programs (except mkisofs) are
100% CDDL - a fully accepted OSS license. Mkisofs is a GPLd program that uses some CDDLd libraries. This is
a method that has been approved by Eben Moglen, since he fully accepted the use of GNU tar (a GPLd program)
legally on OpenSolaris, where it uses CDDLd libraries.

So we need to check whether Redat will continue to ignore their users or whether Redhat will come back to the
"bright side of the Source". I have few hope but I am open for a change.

Comment 13 Kevin Kofler 2019-06-05 20:19:15 UTC

*** This bug has been marked as a duplicate of bug 1583845 ***


Note You need to log in before you can comment on or make changes to this bug.