Re: [PATCH 001/001] CHAR DRIVERS: a simple device to give daemons a/sys-like interface

From: Greg Kroah-Hartman
Date: Fri Aug 09 2013 - 17:54:55 EST

Next message: Anton Vorontsov: "Re: [PATCH] power: power: replace strict_strtol() with kstrtol()"
Previous message: Greg Kroah-Hartman: "Re: [PATCH 001/001] CHAR DRIVERS: a simple device to give daemons a/sys-like interface"
Next in thread: Bob Smith: "Re: [PATCH 001/001] CHAR DRIVERS: a simple device to give daemonsa /sys-like interface"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Aug 07, 2013 at 02:53:50PM -0700, Bob Smith wrote:
> Greg Kroah-Hartman wrote:
> >>The proxy device nodes are application specific and need to be
> >>created as needed by applications.
> >
> >But applications do not have the permissions in a system to create
> >device nodes. Nor should they need that permission.
>
> Agreed. But you need root permissions to install an application
> and part of that installation can be setting up systemd files
> that allocate resources at boot.

Do you have examples of those systemd files? Last I looked, they didn't
have mknod permissions anymore, which is a good thing.

> Also, some applications start as root just so they can do this kind of
> allocation. The app can (and should) drop root privileges when it
> can.

You shouldn't require root for a new feature, that seems strange.

Also, namespaces aren't addressed at all, but that's a totally different
issue...

> >>Allocation of minor numbers is an issue but that is an issue that
> >>is separate from the proxy module itself.
> >How is it separate, it seems tied directly to it as something that must
> >be handled properly.
> It can, but does not need to be handled in the kernel. It could
> be handled in user space.
>
> >
> >>> Also, no, setting the permissions like this is not ok for a real system,
> >>> what is going to be in charge of setting the permissions on these random
> >>> device nodes?
> >> Again, compare proxy to a named pipe. It is up the application
> >> writer to decide who gets read and write access to its proxy
> >> nodes.
> >
> > Ok, but to do so, you have to have root permissions to start with, which
> > is generally not going to happen on sane systems. Only allowing root
> > access to this seems like a huge limitation.
>
> As noted above, yes, root has to set it up and set the permissions,
> but this is hardly unusual, is it?

Yes it is, modern userspace does not create any device nodes anymore,
please let's not regress on that point.

thanks,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Anton Vorontsov: "Re: [PATCH] power: power: replace strict_strtol() with kstrtol()"
Previous message: Greg Kroah-Hartman: "Re: [PATCH 001/001] CHAR DRIVERS: a simple device to give daemons a/sys-like interface"
Next in thread: Bob Smith: "Re: [PATCH 001/001] CHAR DRIVERS: a simple device to give daemonsa /sys-like interface"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]