[linux-lvm] Bug! lvs shouldn't need 'root' access

Linda A. Walsh lvm at tlinx.org
Mon Jul 11 01:24:23 UTC 2011

Alasdair G Kergon wrote:
> On Sun, Jul 10, 2011 at 10:40:13AM -0700, Linda A. Walsh wrote:
>> I could write to the darn things!, but all I NEED is read (hmmm
> I thought so too when we first began work on LVM, but - surprising 
> to me - there's been hardly any demand expressed for this feature.
> The proposed method of handling this was to accept dm ioctls on
> the actual devices themselves controlled by normal ioctl permissions.
> Currently, you need CAP_SYS_ADMIN (and access to /dev/mapper/control).
   Why is CAP_SYS_ADMIN needed to access a disk device when device 
are already present for this?

    I can put myself for view purposes in a group disk and give an 
read-only access
to the disks as well as /dev/mapper/control.

    Being able to get status information out of the system shouldn't 
require CAP_SYS_ADMIN NOR write access -- ability t0 'read' should allow 
reading of

with control by group.   CAP_SYS_ADMIN is poor control, since how do I set
CAP_SYS_ADMIN on my login and *only* have it allow reading ???

I don't.

Might as well run as root all the time.

Can this be revisited and a justification made why running "top" 
shouldn't require
sys_admin as well?

More information about the linux-lvm mailing list