On Oct 4, 2016 12:11 PM, "Dan Williams" <[email protected]> wrote: > > On Tue, 2016-10-04 at 12:08 -0400, Peter Jones wrote: > > On Tue, Oct 04, 2016 at 11:03:05AM -0500, Dan Williams wrote: > > > > > > All the iSCSI boot entries are read-only anyway; it's unclear why > > > the > > > CAP_SYS_ADMIN restriction is in place since this information isn't > > > particularly sensitive and cannot be changed. Userspace > > > applications > > > may want to read this without requiring CAP_SYS_ADMIN for their > > > entire process just for iBFT info. > > > > > > Signed-off-by: Dan Williams <[email protected]> > > > > Uh, because there are login credentials to the target in there. > > Fair enough. So can we just check CAP_SYS_ADMIN for the login > credentials, and not check it for all the IP details and such?
The only consumer is iscsiadm - which runs as root. So why expose this information to non root ? > > Dan > > > > > > > --- > > > drivers/scsi/iscsi_boot_sysfs.c | 3 --- > > > 1 file changed, 3 deletions(-) > > > > > > diff --git a/drivers/scsi/iscsi_boot_sysfs.c > > > b/drivers/scsi/iscsi_boot_sysfs.c > > > index d453667..4e9c324 100644 > > > --- a/drivers/scsi/iscsi_boot_sysfs.c > > > +++ b/drivers/scsi/iscsi_boot_sysfs.c > > > @@ -47,9 +47,6 @@ static ssize_t iscsi_boot_show_attribute(struct > > > kobject *kobj, > > > ssize_t ret = -EIO; > > > char *str = buf; > > > > > > - if (!capable(CAP_SYS_ADMIN)) > > > - return -EACCES; > > > - > > > if (boot_kobj->show) > > > ret = boot_kobj->show(boot_kobj->data, boot_attr- > > > >type, str); > > > return ret; > > > -- > > > 2.7.4 > > -- You received this message because you are subscribed to the Google Groups "open-iscsi" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/open-iscsi. For more options, visit https://groups.google.com/d/optout.
