[mdlug] Accessing dvd writer in k3b from a remote login

Jonathan Billings billings at negate.org
Tue Oct 23 21:00:44 EDT 2012


On Oct 23, 2012, at 8:09 PM, R KANNAN wrote:
> I fail to see why allowing 'dd' to be used through a remote login
> would be a security issue. 'ssh' after all is supposed to be secure
> and the user is authenticated. I can write to other file systems
> (provided I have the right permissions to that directories) as a
> remote user why is cd/dvd writer any different.

In general, local resources that only make sense for local access, like CD drives and sound devices, should be restricted to someone with physical access.  Part of this reason is that you don't want a remote user interfering with a local user's session. Also, it's best to limit the scope for potential driver bugs that might have a privilege escalation or denial of service.  

The point isn't necessarily that ssh isn't secure, but that processes that aren't part of a console login session shouldn't be able to write to devices like the CD burner, which includes processes started by the SSH daemon.  This sometimes causes problems with software like audio jukebox server daemons that try to access the sound device even though no local user is logged in.  Of course, the device access methods seem to all be distro-specific and Desktop-manager-specific in implementation.   

--
Jonathan Billings <billings at negate.org>




More information about the mdlug mailing list