[linux-lvm] Bug! lvs shouldn't need 'root' access

Alasdair G Kergon agk at redhat.com
Mon Jul 11 02:24:33 UTC 2011

On Sun, Jul 10, 2011 at 06:24:23PM -0700, Linda A. Walsh wrote:
>   Why is CAP_SYS_ADMIN needed to access a disk device when device  
> permissions
> are already present for this?

It is reading control information about the device, which is not the
same as reading the device itself.

A global CAP_SYS_ADMIN restriction is easy to implement and audit.
Anything else increases complexity and security exposure and like I
said, there's simply been hardly any demand to implement it - nor has
there been demand for proper selinux integration.

For now, configuring sudo is the closest you can get.


More information about the linux-lvm mailing list