On Wed, 26 Jul 2000, Oliver Xymoron wrote:
> On Wed, 26 Jul 2000, Linus Torvalds wrote:
>
> > If somebody sends me a patch to change CAP_SYS_ADMIN into CAP_SYS_RAWIO,
> > I'll apply it in a jiffy.
>
> Vojtech Pavlik posted this for IDE:
>
> --- ide.c.old Sat Jul 22 10:19:37 2000
> +++ ide.c Sat Jul 22 10:22:02 2000
> @@ -2557,7 +2557,7 @@
> byte args[4], *argbuf = args;
> byte xfer_rate = 0;
> int argsize = 4;
> - if (!capable(CAP_SYS_ADMIN)) return -EACCES;
> + if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SYS_RAWIO)) return -EACCES;
> if (NULL == (void *) arg)
> return ide_do_drive_cmd(drive, &rq, ide_wait);
> if (copy_from_user(args, (void *)arg, 4))
> @@ -2595,7 +2595,7 @@
> {
> byte args[7], *argbuf = args;
> int argsize = 7;
> - if (!capable(CAP_SYS_ADMIN)) return -EACCES;
> + if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SYS_RAWIO)) return -EACCES;
> if (copy_from_user(args, (void *)arg, 7))
> return -EFAULT;
> err = ide_wait_cmd_task(drive, argbuf);
>
> And I posted this for SCSI:
>
> --- scsi_ioctl.c~ Tue Mar 14 00:15:03 2000
> +++ scsi_ioctl.c Sat Jul 22 11:21:36 2000
> @@ -410,7 +410,7 @@
> case SCSI_IOCTL_PROBE_HOST:
> return ioctl_probe(dev->host, arg);
> case SCSI_IOCTL_SEND_COMMAND:
> - if (!capable(CAP_SYS_ADMIN))
> + if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SYS_RAWIO))
> return -EACCES;
> return scsi_ioctl_send_command((Scsi_Device *) dev,
> (Scsi_Ioctl_Command *) arg);
>
> Arguably RAWIO subsumes ADMIN in theory, but I'll leave it to capabilities
> experts to decide whether this should have only one check.
Yes, and please be careful not to choke current admin-tools.
I am not a "capabilities experts" just paranoid with some cause in mind
but it escapes me now.
Cheers,
Andre Hedrick
The Linux ATA/IDE guy
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Mon Jul 31 2000 - 21:00:22 EST