Comment 93 for bug 213215

A few years ago, I checked the Linux caps and it seems that except for the needed SCSI settings that seem to be unclear for me on Linux, there is a 1:1 match with the other privileges used with pfexec on Solaris.

In any case, cdrecord, cdda2wav and readcd all need to actively maintain the capabilities at runtime as they need to give up "file_dac_read" after opening the SCSI devices. For this reason, there is a need for similar support code as already present for Solaris. If this would not be done, cdrecord could burn any local file (regardless of the calling user) which is not intended.