On Tue, Apr 04, 2006 at 12:49:22PM -0700, Steve Langasek wrote: > On Mon, Apr 03, 2006 at 05:08:54PM -0400, Raul Miller wrote: > > On 4/3/06, Steve Langasek <[EMAIL PROTECTED]> wrote: > > > Raul suggested in > > > <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=342455;msg=15> that > > > policy > > > should also be amended to spell out the permissions for disk devices -- do > > > we need to include text here which addresses that directly?
> > Perhaps the following item could be added to your draft (renumbering the > > current item 14 as 15) > > 14. RECOMMENDS policy be updated to reflect this determination > > on default block device permissions. > Thanks, added. The updated draft is attached. <sigh> Trying that again. :) -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/
WHEREAS
1. It is a limitation of the current device-mapper implementation in Debian
that all device nodes managed by libdevmapper are created with the same
hard-coded ownership and permissions; and
2. The standard owning group for disk device nodes is group "disk"; and
3. The sole reason for the existence of this group on Debian systems is
to control access to disk devices; and
4. The majority of device-mapper nodes expose data that is already
available to members of the disk group via the component disks; and
5. The use of a different owning group in these cases therefore makes
accessing the data more inconvenient but not more secure; and
6. The exception to the above is dm-crypt, whereby device-mapper nodes
expose data that is not available in unencrypted form from the
component disks; and
7. No single owning group satisfies all possible use cases for
device-mapper; but
8. Users of dm-crypt have the option of not adding users to the disk
group that they do not wish to have access to their unencrypted
dm-crypt volumes;
THE TECHNICAL COMMITTEE:
9. THANKS Bastian Blank for his continued maintenance of the devmapper
package in Debian; and
10. ALSO THANKS Roger Leigh for bringing this issue before the
committee; and
11. ENCOURAGES the devmapper maintainer to work towards support for
configurable device-mapper device permissions in Debian; and
12. DETERMINES that the correct default permissions for all device-mapper
nodes is root:disk 0660, with or without support for configurable device
permissions; and
13. ASKS (with a 3:1 majority: REQUIRES) the devmapper maintainer to
implement these permissions in unstable by applying Roger Leigh's
patch from
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=329409;msg=87;att=0;
and
14. RECOMMENDS policy be updated to reflect this determination on
default block device permissions; and
15. AUTHORIZES Roger to implement these same permissions in stable via a
non-maintainer upload.
signature.asc
Description: Digital signature
