#!/bin/bash -e
# © 2025 Friedhelm Mehnert <friedhelm@friedhelms.net>

# Those 4 binaries need to be installed suid root
# if the system does not support capabilities.
chown root:cdrom /usr/bin/cdrecord
chown root:cdrom /usr/bin/cdda2wav
chown root:cdrom /usr/bin/readcd
chmod 4710 /usr/bin/cdrecord
chmod 4710 /usr/bin/cdda2wav
chmod 4710 /usr/bin/readcd
chmod 4711 /usr/bin/mkisofs

# We do not install suid root if capabilities are supported.
if type -P setcap >/dev/null 2>&1; then
  for PROGRAM in /usr/bin/cdda2wav /usr/bin/cdrecord /usr/bin/readcd /usr/bin/mkisofs; do
    if setcap cap_sys_resource,cap_dac_override,cap_sys_admin,cap_sys_nice,cap_net_bind_service,cap_ipc_lock,cap_sys_rawio+ep $PROGRAM; then
      chmod u=rwx,g=x,o=-rwx $PROGRAM
    fi
  done
  chmod u=rwx,g=rwx,o=x /usr/bin/mkisofs
fi

#DEBHELPER#

exit
