>>> Konrad Rzeszutek Wilk <kon...@darnok.org> schrieb am 05.10.2016 um 01:23 in Nachricht <capbh3rskyveukurwhf1jxf1caysfjbo-09a8txdvnwmvyi5...@mail.gmail.com>: > On Oct 4, 2016 12:11 PM, "Dan Williams" <d...@redhat.com> wrote: >> >> On Tue, 2016-10-04 at 12:08 -0400, Peter Jones wrote: >> > On Tue, Oct 04, 2016 at 11:03:05AM -0500, Dan Williams wrote: >> > > >> > > All the iSCSI boot entries are read-only anyway; it's unclear why >> > > the >> > > CAP_SYS_ADMIN restriction is in place since this information isn't >> > > particularly sensitive and cannot be changed. Userspace >> > > applications >> > > may want to read this without requiring CAP_SYS_ADMIN for their >> > > entire process just for iBFT info. >> > > >> > > Signed-off-by: Dan Williams <d...@redhat.com> >> > >> > Uh, because there are login credentials to the target in there. >> >> Fair enough. So can we just check CAP_SYS_ADMIN for the login >> credentials, and not check it for all the IP details and such? > > The only consumer is iscsiadm - which runs as root. So why expose this > information to non root ?
Probaby the correct question is: Can iscsiadm also run as non-root? The tendency in UNIX (linux) security is to do administrative tasks as non-root when possible. Mostly because root is too powerful. > >> >> Dan >> >> > > >> > > --- >> > > drivers/scsi/iscsi_boot_sysfs.c | 3 --- >> > > 1 file changed, 3 deletions(-) >> > > >> > > diff --git a/drivers/scsi/iscsi_boot_sysfs.c >> > > b/drivers/scsi/iscsi_boot_sysfs.c >> > > index d453667..4e9c324 100644 >> > > --- a/drivers/scsi/iscsi_boot_sysfs.c >> > > +++ b/drivers/scsi/iscsi_boot_sysfs.c >> > > @@ -47,9 +47,6 @@ static ssize_t iscsi_boot_show_attribute(struct >> > > kobject *kobj, >> > > ssize_t ret = -EIO; >> > > char *str = buf; >> > > >> > > - if (!capable(CAP_SYS_ADMIN)) >> > > - return -EACCES; >> > > - >> > > if (boot_kobj->show) >> > > ret = boot_kobj->show(boot_kobj->data, boot_attr- >> > > >type, str); >> > > return ret; >> > > -- >> > > 2.7.4 >> > > > -- > You received this message because you are subscribed to the Google Groups > "open-iscsi" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to open-iscsi+unsubscr...@googlegroups.com. > To post to this group, send email to open-iscsi@googlegroups.com. > Visit this group at https://groups.google.com/group/open-iscsi. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "open-iscsi" group. To unsubscribe from this group and stop receiving emails from it, send an email to open-iscsi+unsubscr...@googlegroups.com. To post to this group, send email to open-iscsi@googlegroups.com. Visit this group at https://groups.google.com/group/open-iscsi. For more options, visit https://groups.google.com/d/optout.