[linux-lvm] Bug! lvs shouldn't need 'root' access
Alasdair G Kergon
agk at redhat.com
Mon Jul 11 02:24:33 UTC 2011
On Sun, Jul 10, 2011 at 06:24:23PM -0700, Linda A. Walsh wrote:
> Why is CAP_SYS_ADMIN needed to access a disk device when device
> are already present for this?
It is reading control information about the device, which is not the
same as reading the device itself.
A global CAP_SYS_ADMIN restriction is easy to implement and audit.
Anything else increases complexity and security exposure and like I
said, there's simply been hardly any demand to implement it - nor has
there been demand for proper selinux integration.
For now, configuring sudo is the closest you can get.
More information about the linux-lvm