[linux-lvm] Bug! lvs shouldn't need 'root' access

Linda A. Walsh lvm at tlinx.org
Tue Jul 12 10:58:49 UTC 2011

Alasdair G Kergon wrote:
> On Sun, Jul 10, 2011 at 10:40:13AM -0700, Linda A. Walsh wrote:
>> I could write to the darn things!, but all I NEED is read (hmmm
> I thought so too when we first began work on LVM, but - surprising 
> to me - there's been hardly any demand expressed for this feature.
> The proposed method of handling this was to accept dm ioctls on
> the actual devices themselves controlled by normal ioctl permissions.
> Currently, you need CAP_SYS_ADMIN (and access to /dev/mapper/control).
Ishtar:/suse/x86_64> filecap /sbin/lvm
file                 capabilities
/sbin/lvm     sys_admin
Ishtar:/suse/x86_64> llg /dev/mapper/control
crw-rw---- 1 root disk 10, 236 Jul  8 16:52 /dev/mapper/control
(am in group disk).

    Doesn't work.   Still get access failures.
(open not permitted)
I got slightly further with cap_rawio, (gave more error messages).

I'm sure with enough experimenting, I could eventually find the
required set, but it seems to be a bit more than 1 cap.

Oh well, not that important...just found the caplibs on my system
and decided to give them a try...(didn't know the bins were
in yet!....only remember discussing their implementation about
11 years back.  At least ACL's were faster...

(I made the exec +eip on the binary for sys_admin and rawio, and
that wasn't sufficient).

More information about the linux-lvm mailing list