[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [linux-lvm] Bug! lvs shouldn't need 'root' access



On Sun, Jul 10, 2011 at 06:24:23PM -0700, Linda A. Walsh wrote:
>   Why is CAP_SYS_ADMIN needed to access a disk device when device  
> permissions
> are already present for this?

It is reading control information about the device, which is not the
same as reading the device itself.

A global CAP_SYS_ADMIN restriction is easy to implement and audit.
Anything else increases complexity and security exposure and like I
said, there's simply been hardly any demand to implement it - nor has
there been demand for proper selinux integration.

For now, configuring sudo is the closest you can get.

Alasdair


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]