[linux-lvm] Bug! lvs shouldn't need 'root' access
Linda A. Walsh
lvm at tlinx.org
Tue Jul 12 10:58:49 UTC 2011
Alasdair G Kergon wrote:
> On Sun, Jul 10, 2011 at 10:40:13AM -0700, Linda A. Walsh wrote:
>
>> I could write to the darn things!, but all I NEED is read (hmmm
>>
>
> I thought so too when we first began work on LVM, but - surprising
> to me - there's been hardly any demand expressed for this feature.
>
> The proposed method of handling this was to accept dm ioctls on
> the actual devices themselves controlled by normal ioctl permissions.
>
> Currently, you need CAP_SYS_ADMIN (and access to /dev/mapper/control).
>
Ishtar:/suse/x86_64> filecap /sbin/lvm
file capabilities
/sbin/lvm sys_admin
Ishtar:/suse/x86_64> llg /dev/mapper/control
crw-rw---- 1 root disk 10, 236 Jul 8 16:52 /dev/mapper/control
(am in group disk).
---
Doesn't work. Still get access failures.
(open not permitted)
I got slightly further with cap_rawio, (gave more error messages).
I'm sure with enough experimenting, I could eventually find the
required set, but it seems to be a bit more than 1 cap.
Oh well, not that important...just found the caplibs on my system
and decided to give them a try...(didn't know the bins were
in yet!....only remember discussing their implementation about
11 years back. At least ACL's were faster...
(I made the exec +eip on the binary for sys_admin and rawio, and
that wasn't sufficient).
More information about the linux-lvm
mailing list