[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [linux-lvm] Bug! lvs shouldn't need 'root' access





Alasdair G Kergon wrote:
On Sun, Jul 10, 2011 at 06:24:23PM -0700, Linda A. Walsh wrote:
Why is CAP_SYS_ADMIN needed to access a disk device when device permissions
are already present for this?

It is reading control information about the device, which is not the
same as reading the device itself.

A global CAP_SYS_ADMIN restriction is easy to implement and audit.
Anything else increases complexity and security exposure and like I
said, there's simply been hardly any demand to implement it - nor has
there been demand for proper selinux integration.

For now, configuring sudo is the closest you can get.
----
   Which is what I'm ending up doing...

putting 'sudo' in all my scripts.

   It also means the 'lvs' command to show you how close your snapshots are
to full isn't readily available w/o sudo, (or building it into a script).

As for reading control information -- um....is there a reason why the information
couldn't be exported through a /proc interface?





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]