[linux-lvm] Bug! lvs shouldn't need 'root' access
Linda A. Walsh
lvm at tlinx.org
Mon Jul 11 01:24:23 UTC 2011
Alasdair G Kergon wrote:
> On Sun, Jul 10, 2011 at 10:40:13AM -0700, Linda A. Walsh wrote:
>> I could write to the darn things!, but all I NEED is read (hmmm
> I thought so too when we first began work on LVM, but - surprising
> to me - there's been hardly any demand expressed for this feature.
> The proposed method of handling this was to accept dm ioctls on
> the actual devices themselves controlled by normal ioctl permissions.
> Currently, you need CAP_SYS_ADMIN (and access to /dev/mapper/control).
Why is CAP_SYS_ADMIN needed to access a disk device when device
are already present for this?
I can put myself for view purposes in a group disk and give an
to the disks as well as /dev/mapper/control.
Being able to get status information out of the system shouldn't
require CAP_SYS_ADMIN NOR write access -- ability t0 'read' should allow
with control by group. CAP_SYS_ADMIN is poor control, since how do I set
CAP_SYS_ADMIN on my login and *only* have it allow reading ???
Might as well run as root all the time.
Can this be revisited and a justification made why running "top"
sys_admin as well?
More information about the linux-lvm