[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [linux-lvm] Bug! lvs shouldn't need 'root' access





Alasdair G Kergon wrote:
On Sun, Jul 10, 2011 at 10:40:13AM -0700, Linda A. Walsh wrote:
I could write to the darn things!, but all I NEED is read (hmmm

I thought so too when we first began work on LVM, but - surprising to me - there's been hardly any demand expressed for this feature.

The proposed method of handling this was to accept dm ioctls on
the actual devices themselves controlled by normal ioctl permissions.

Currently, you need CAP_SYS_ADMIN (and access to /dev/mapper/control).
----
Why is CAP_SYS_ADMIN needed to access a disk device when device permissions
are already present for this?


I can put myself for view purposes in a group disk and give an read-only access
to the disks as well as /dev/mapper/control.


Being able to get status information out of the system shouldn't require CAP_SYS_ADMIN NOR write access -- ability t0 'read' should allow reading of
status.

with control by group.   CAP_SYS_ADMIN is poor control, since how do I set
CAP_SYS_ADMIN on my login and *only* have it allow reading ???

I don't.

Might as well run as root all the time.

Can this be revisited and a justification made why running "top" shouldn't require
sys_admin as well?



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]