Solved Using cdrecord in my account

Quarter Wave Vertical · Jan 25, 2016

I've been tinkering with making CDs with Mate.

I can make the ISO files using mkisofs(8) both in root and in my account. I can burn and, for CD-RWs, blank them in root. If I try to use cdrecord(1) in my account, though, I get several lines of error messages and nothing happens.

I've had problems in playing audio CDs in my account, but not in root. I eventually succeeded using VLC, though Mate kept giving me an error message whenever I put a disk in the drive. (My settings and permissions for this appeared to be correct.)

In view of this, I'm wondering if the problems with cdrecord(1) might be due to something in Mate. Did I overlook something, and is there a way around this, or do I have to log in as root to burn disks?

Please advise. Thank you.

protocelt · Jan 25, 2016

It's not a problem with MATE or something you did wrong. cdrecord(1) needs to run as root to work correctly. There are 3 ways you can accomplish that.

Run cdrecord(1) as root as you have been doing.
Install, configure and use security/sudo to run the command.
Set the setuid flag on cdrecord(1).

Personally I would ignore the third option as it creates a possible security vulnerability on your system.

asteriskRoss · Jan 25, 2016

Did you configure the device that is your CD writer so that your user account has write permission?

Quarter Wave Vertical · Jan 26, 2016

protocelt said:
It's not a problem with MATE or something you did wrong. cdrecord(1) needs to run as root to work correctly. There are 3 ways you can accomplish that.

Run cdrecord(1) as root as you have been doing.

Install, configure and use security/sudo to run the command.

Set the setuid flag on cdrecord(1).

Personally I would ignore the third option as it creates a possible security vulnerability on your system.

Thanks. I add that to my system.

Quarter Wave Vertical · Jan 26, 2016

asteriskRoss said:
Did you configure the device that is your CD writer so that your user account has write permission?

I thought I did, but I'll double check. Thanks.

protocelt · Jan 26, 2016

Yes, do make sure your device permissions are set correctly to allow reading and writing to the device by your user.

That said, cdrecord(1) is a special case in that even when device permissions are set correctly, it still needs to be run with root privileges. From the man page:

Code:

[...]

Constraints for running cdrecord
       On SVr4 compliant systems, cdrecord uses the real-time class to get the
       highest scheduling priority that is possible (higher than all kernel
       processes).  On systems with POSIX real-time scheduling cdrecord uses
       real-time scheduling too, but may not be able to gain a priority that
       is higher than all kernel processes.

       In order to be able to use the SCSI transport subsystem of the OS, run
       at highest priority and lock itself into core cdrecord either needs to
       be run as root, needs to be installed suid root or must be called via
       RBACs pfexec mechanism.

[...]

Quarter Wave Vertical · Jan 26, 2016

protocelt said:
Yes, do make sure your device permissions are set correctly to allow reading and writing to the device by your user.

That said, cdrecord(1) is a special case in that even when device permissions are set correctly, it still needs to be run with root privileges. From the man page:

Code:

[...] Constraints for running cdrecord On SVr4 compliant systems, cdrecord uses the real-time class to get the highest scheduling priority that is possible (higher than all kernel processes). On systems with POSIX real-time scheduling cdrecord uses real-time scheduling too, but may not be able to gain a priority that is higher than all kernel processes. In order to be able to use the SCSI transport subsystem of the OS, run at highest priority and lock itself into core cdrecord either needs to be run as root, needs to be installed suid root or must be called via RBACs pfexec mechanism. [...]

I guess that bit falls into the "don't blink, you might miss it" category as it slipped by me while I was reading that page.

I installed sudo, though it took me a while to log in as root. I kept typing in "sudo" instead of "su".

I did a few test runs with cdrecord earlier this evening and I had no problems with it.

Thanks for your assistance.

protocelt · Jan 26, 2016

Quarter Wave Vertical said:
I guess that bit falls into the "don't blink, you might miss it" category as it slipped by me while I was reading that page.

Just for completeness, I'll point you again to the almighty man page -> setuid(2)

Quarter Wave Vertical said:
I installed sudo, though it took me a while to log in as root. I kept typing in "sudo" instead of "su".

I'm not sure what you mean by logging in as root with security/sudo. sudo(8) is used to run a command as another user(or switch to another user), a lot of times to run a command with elevated privileges(root).

Tangentially related, I learned early on that reading through available man pages first was usually much easier and quicker than using your favorite search engine. I tend to trust a man page more than what I find on Google and FreeBSD's man pages are top-notch. Various people have put a lot of time and work into creating them and keeping them updated.

asteriskRoss · Jan 26, 2016

cdrecord(1) certainly has a comprehensive man page, including:

If you don't want to allow users to become root on your system,
cdrecord may safely be installed suid root. This allows all users or a
group of users with no root privileges to use cdrecord. Cdrecord in
this case checks if the real user would have been able to read the
specified files.

The man page goes on to suggest creating a cdburners group and ensuring that group has read and write permissions on the CD writer device. Personally, I would go with this option to configure permissions and set the setuid permission bit on cdrecord as protocelt suggested.

Quarter Wave Vertical · Jan 27, 2016

protocelt said:
Just for completeness, I'll point you again to the almighty man page -> setuid(2)

I'm not sure what you mean by logging in as root with security/sudo. sudo(8) is used to run a command as another user(or switch to another user), a lot of times to run a command with elevated privileges(root).

I used:

su root

Since it's only me on the machine, this does the job.

Tangentially related, I learned early on that reading through available man pages first was usually much easier and quicker than using your favorite search engine. I tend to trust a man page more than what I find on Google and FreeBSD's man pages are top-notch. Various people have put a lot of time and work into creating them and keeping them updated.

To be honest, I was a touch impatient as I was looking for which options to use.

Quarter Wave Vertical · Jan 27, 2016

asteriskRoss said:
cdrecord(1) certainly has a comprehensive man page, including:

The man page goes on to suggest creating a cdburners group and ensuring that group has read and write permissions on the CD writer device. Personally, I would go with this option to configure permissions and set the setuid permission bit on cdrecord as protocelt suggested.

I changed the sudoers file to allow wheel to have access as I added that membership in that group to my account while I was setting up something else.

As I heard while I worked in industry, if it works, don't fix it.

protocelt · Jan 27, 2016

Just thought I'd add that while I prefer to stick to CLI based tools to work with CD/DVDs and use security/sudo myself when needed, there are a few ports(sysutils/k3b-kde4 is one IIRC) that require you to use the method asteriskRoss mentioned he preferred in his above post #9 in order to work correctly.