Re: PATCH: cdrecord: avoiding scsi device numbering for ide devices
From: Bill Davidsen
Date: Mon Aug 23 2004 - 15:45:30 EST
Tonnerre wrote:
Well, for that it might be a nice feature to register and delete such
filters online, using a register/remove_scsi_filter interface, but
well, otoh that might be undesirable security-wise.
Let me throw out two ideas to see if anyone find them useful.
1 - loadable command filters in the kernel.
Each device could have a filter set, which could be empty to require
RAWIO capability, or set to a kernel default. Access could be made to
modify a filter via proc, sysfs, or ioctl. The set method is not
relevant to the idea.
2 - a filter program.
This one can be done right now, no kernel mod needed. A program with
appropriate permissions can be started, and will create a command/status
fifo pair with permissions which allow only programs with group
permission to open. This allows the admin to put in any filter desired,
know about vendor commands, etc. It also allows various security setups,
the group can be on the user (trusted users) or on a setgid program
(which limits the security issues).
Note that the permissions on individual devices need not be the same; I
can have one group for disk, another for CD/DVD. You caould even be anal
and have the filter time sensitive, etc.
A 'standard" place for the fifos helps portability, /var/sgio/dev/hda
might be a directory, with fifos command and status.
Okay, did I miss something, or can this be solved without any additional
kernel hacks?
--
-bill davidsen (davidsen@xxxxxxx)
"The secret to procrastination is to put things off until the
last possible moment - but no longer" -me
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/