[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: [linux-lvm] Bug! lvs shouldn't need 'root' access

From: Alasdair G Kergon <agk redhat com>
To: "Linda A. Walsh" <lvm tlinx org>
Cc: LVM general discussion and development <linux-lvm redhat com>
Subject: Re: [linux-lvm] Bug! lvs shouldn't need 'root' access
Date: Mon, 11 Jul 2011 03:24:33 +0100

On Sun, Jul 10, 2011 at 06:24:23PM -0700, Linda A. Walsh wrote:
>   Why is CAP_SYS_ADMIN needed to access a disk device when device  
> permissions
> are already present for this?

It is reading control information about the device, which is not the
same as reading the device itself.

A global CAP_SYS_ADMIN restriction is easy to implement and audit.
Anything else increases complexity and security exposure and like I
said, there's simply been hardly any demand to implement it - nor has
there been demand for proper selinux integration.

For now, configuring sudo is the closest you can get.

Alasdair

Follow-Ups:
- Re: [linux-lvm] Bug! lvs shouldn't need 'root' access
  - From: Linda A. Walsh

References:
- [linux-lvm] Bug! lvs shouldn't need 'root' access
  - From: Linda A. Walsh
- Re: [linux-lvm] Bug! lvs shouldn't need 'root' access
  - From: Alasdair G Kergon
- Re: [linux-lvm] Bug! lvs shouldn't need 'root' access
  - From: Linda A. Walsh

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]