[linux-lvm] Bug! lvs shouldn't need 'root' access
Linda A. Walsh
lvm at tlinx.org
Mon Jul 11 02:31:01 UTC 2011
Alasdair G Kergon wrote:
> On Sun, Jul 10, 2011 at 06:24:23PM -0700, Linda A. Walsh wrote:
>
>> Why is CAP_SYS_ADMIN needed to access a disk device when device
>> permissions
>> are already present for this?
>>
>
> It is reading control information about the device, which is not the
> same as reading the device itself.
>
> A global CAP_SYS_ADMIN restriction is easy to implement and audit.
> Anything else increases complexity and security exposure and like I
> said, there's simply been hardly any demand to implement it - nor has
> there been demand for proper selinux integration.
>
> For now, configuring sudo is the closest you can get.
>
----
Which is what I'm ending up doing...
putting 'sudo' in all my scripts.
It also means the 'lvs' command to show you how close your snapshots are
to full isn't readily available w/o sudo, (or building it into a script).
As for reading control information -- um....is there a reason why
the information
couldn't be exported through a /proc interface?
>
More information about the linux-lvm
mailing list