subject:"Antw\: Re\: \[PATCH\] iscsi_ibft,iscsi_boot\: remove CAP_SYS

Antw: Re: [PATCH] iscsi_ibft,iscsi_boot: remove CAP_SYS_ADMIN restriction for reading entries

2016-10-06 Thread Ulrich Windl

>>> Konrad Rzeszutek Wilk  schrieb am 05.10.2016 um 01:23 in
Nachricht
:
> On Oct 4, 2016 12:11 PM, "Dan Williams"  wrote:
>>
>> On Tue, 2016-10-04 at 12:08 -0400, Peter Jones wrote:
>> > On Tue, Oct 04, 2016 at 11:03:05AM -0500, Dan Williams wrote:
>> > >
>> > > All the iSCSI boot entries are read-only anyway; it's unclear why
>> > > the
>> > > CAP_SYS_ADMIN restriction is in place since this information isn't
>> > > particularly sensitive and cannot be changed.  Userspace
>> > > applications
>> > > may want to read this without requiring CAP_SYS_ADMIN for their
>> > > entire process just for iBFT info.
>> > >
>> > > Signed-off-by: Dan Williams 
>> >
>> > Uh, because there are login credentials to the target in there.
>>
>> Fair enough.  So can we just check CAP_SYS_ADMIN for the login
>> credentials, and not check it for all the IP details and such?
> 
> The only consumer is iscsiadm - which runs as root. So why expose this
> information to non root ?

Probaby the correct question is: Can iscsiadm also run as non-root?
The tendency in UNIX (linux) security is to do administrative tasks as non-root 
when possible. Mostly because root is too powerful.

> 
>>
>> Dan
>>
>> > >
>> > > ---
>> > >  drivers/scsi/iscsi_boot_sysfs.c | 3 ---
>> > >  1 file changed, 3 deletions(-)
>> > >
>> > > diff --git a/drivers/scsi/iscsi_boot_sysfs.c
>> > > b/drivers/scsi/iscsi_boot_sysfs.c
>> > > index d453667..4e9c324 100644
>> > > --- a/drivers/scsi/iscsi_boot_sysfs.c
>> > > +++ b/drivers/scsi/iscsi_boot_sysfs.c
>> > > @@ -47,9 +47,6 @@ static ssize_t iscsi_boot_show_attribute(struct
>> > > kobject *kobj,
>> > > ssize_t ret = -EIO;
>> > > char *str = buf;
>> > >
>> > > -   if (!capable(CAP_SYS_ADMIN))
>> > > -   return -EACCES;
>> > > -
>> > > if (boot_kobj->show)
>> > > ret = boot_kobj->show(boot_kobj->data, boot_attr-
>> > > >type, str);
>> > > return ret;
>> > > --
>> > > 2.7.4
>> >
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "open-iscsi" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to open-iscsi+unsubscr...@googlegroups.com.
> To post to this group, send email to open-iscsi@googlegroups.com.
> Visit this group at https://groups.google.com/group/open-iscsi.
> For more options, visit https://groups.google.com/d/optout.




-- 
You received this message because you are subscribed to the Google Groups 
"open-iscsi" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to open-iscsi+unsubscr...@googlegroups.com.
To post to this group, send email to open-iscsi@googlegroups.com.
Visit this group at https://groups.google.com/group/open-iscsi.
For more options, visit https://groups.google.com/d/optout.

Antw: Re: [PATCH] iscsi_ibft,iscsi_boot: remove CAP_SYS_ADMIN restriction for reading entries

2016-10-05 Thread Ulrich Windl

>>> Dan Williams  schrieb am 04.10.2016 um 18:11 in Nachricht
<1475597465.21760.3.ca...@redhat.com>:
> On Tue, 2016-10-04 at 12:08 -0400, Peter Jones wrote:
>> On Tue, Oct 04, 2016 at 11:03:05AM -0500, Dan Williams wrote:
>> > 
>> > All the iSCSI boot entries are read-only anyway; it's unclear why
>> > the
>> > CAP_SYS_ADMIN restriction is in place since this information isn't
>> > particularly sensitive and cannot be changed.  Userspace
>> > applications
>> > may want to read this without requiring CAP_SYS_ADMIN for their
>> > entire process just for iBFT info.
>> > 
>> > Signed-off-by: Dan Williams 
>> 
>> Uh, because there are login credentials to the target in there.
> 
> Fair enough.  So can we just check CAP_SYS_ADMIN for the login
> credentials, and not check it for all the IP details and such?

The "need to know?" principle: Who needs to know that information?

> 
> Dan
> 
>> > 
>> > ---
>> >  drivers/scsi/iscsi_boot_sysfs.c | 3 ---
>> >  1 file changed, 3 deletions(-)
>> > 
>> > diff --git a/drivers/scsi/iscsi_boot_sysfs.c
>> > b/drivers/scsi/iscsi_boot_sysfs.c
>> > index d453667..4e9c324 100644
>> > --- a/drivers/scsi/iscsi_boot_sysfs.c
>> > +++ b/drivers/scsi/iscsi_boot_sysfs.c
>> > @@ -47,9 +47,6 @@ static ssize_t iscsi_boot_show_attribute(struct
>> > kobject *kobj,
>> >ssize_t ret = -EIO;
>> >char *str = buf;
>> >  
>> > -  if (!capable(CAP_SYS_ADMIN))
>> > -  return -EACCES;
>> > -
>> >if (boot_kobj->show)
>> >ret = boot_kobj->show(boot_kobj->data, boot_attr-
>> > >type, str);
>> >return ret;
>> > -- 
>> > 2.7.4
>> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "open-iscsi" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to open-iscsi+unsubscr...@googlegroups.com.
> To post to this group, send email to open-iscsi@googlegroups.com.
> Visit this group at https://groups.google.com/group/open-iscsi.
> For more options, visit https://groups.google.com/d/optout.




-- 
You received this message because you are subscribed to the Google Groups 
"open-iscsi" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to open-iscsi+unsubscr...@googlegroups.com.
To post to this group, send email to open-iscsi@googlegroups.com.
Visit this group at https://groups.google.com/group/open-iscsi.
For more options, visit https://groups.google.com/d/optout.

Antw: Re: [PATCH] iscsi_ibft,iscsi_boot: remove CAP_SYS_ADMIN restriction for reading entries

Antw: Re: [PATCH] iscsi_ibft,iscsi_boot: remove CAP_SYS_ADMIN restriction for reading entries

2 matches

Site Navigation

Mail list logo

Footer information