[linux-lvm] lvcreate from a setuid-root binary
Zdenek Kabelac
zdenek.kabelac at gmail.com
Fri Nov 16 15:32:17 UTC 2018
Dne 16. 11. 18 v 14:43 Christoph Pleger napsal(a):
> Hello,
>
>> Let's stop there. The fact you're asking a question about setuid
>> suggests you don't understand enough to be able to use it safely.
>
> I get security by checking the real user id at the beginning of the program
> and aborting the program if that uid does not belong to the only user who is
> allowed to run the program. That user is me and I guess that it is much more
> insecure to run the whole service that wants to authenticate users through PAM
> as root.
How do you plan to 'authorize' passed command line options ??
lvm2 is designed to be always executed with root privileges - so it's believed
admin knows how he can destroy his own system.
It is NOT designed/supposed to be used as suid binary - this would give user a
way to big power to very easily destroy your filesystem and gain root
privileges (i.e.by overwriting /etc/passwd file)
So I'd highly recommend to avoid this path - unless you have total control
over the users.
>
>> Go back to the beginning and describe the original problem you are
>> trying to solve and the constraints you have and ask for advice about
>> ways to achieve it.
>
> The beginning is that I want to create a user-specific logical volume when a
> user logs in to a service that authenticates its users through pam and that
> does not run as root.
You should probably consider some 'master & client' logic - where master runs
'allowed' rules translated to lvm2 commands internally on your server - and
client just issues some 'high-level' commands.
Regards
Zdenek
PS: there are some plans to support this over dBus - but no so much active
dBus development is going on ATM on lvm2 side....
More information about the linux-lvm
mailing list