Re: PATCH: cdrecord: avoiding scsi device numbering for ide devices
From: Marc Ballarin
Date: Sat Aug 21 2004 - 06:24:02 EST
On Sat, 21 Aug 2004 10:04:38 +0100
David Greaves <david@xxxxxxxxxxxx> wrote:
> Thanks - I get that :)
>
> The 'write' point is that from a data perspective you've already lost
> your data (which is the most valuable thing from a security
> perspective). I agree it's nice to give people write access to hardware
> and not let them melt it permanently. However, if the semantics don't
> allow 'safe' writing then prevent all user writing and use setgid for
> safe programs (which is essentially what you are doing anyway) to allow
> users to write.
>
That's basically my idea. By default CAP_SYS_RAWIO is needed to issue any
comand. This will work fine if the software has been adjusted accordingly
*and* there is a software for the desired purpose.
However, there are cases where users have to be granted read or write
access to devices (databases, strange hardware, co-admins). In this cases,
the admin should be able to allow certain SCSI commands even for non-root
users.
Regards
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/