On Wed, Oct 05, 2016 at 11:00:57PM +0200, Christian Seiler wrote: > On 10/05/2016 08:28 PM, Dan Williams wrote: > > This is more about root processes dropping unnecessary privileges after > > starting. But at least for the network stuff, there doesn't seem to be > > a good reason to restrict stuff to root either; like 'ifconfig' doesn't > > require root access to display info. > > > > While NetworkManager currently spawns iscsiadm to read this stuff, NM > > only cares about the iBFT network settings and we'd rather just read > > sysfs directly instead of spawing and parsing iscsiadm output. So I > > wouldn't expect the only consumer to be iscsiadm in the near future. > > > > Once we do this, NM would also like to drop CAP_SYS_ADMIN after staring > > since we don't actually need it for anything except reading iBFT. > > Maybe CAP_SYS_ADMIN is simply the wrong capability here? If this is > supposed to remain restricted, maybe using CAP_NET_ADMIN for the > network configuration data (NetworkManager has that, right?) and > CAP_SYS_ADMIN for the rest? (Target name, portal, auth data.) > That would still be rather restrictive, but better suited for the > use case in mind?
I kind of like this suggestion. I was wondering if capabilities were even the right fit for sysfs, but there are several potentially sensitive firmware tables that have CAP_SYS_ADMIN checks as well as CAP_NET_ADMIN for a bunch of networking stuff. Either way, if we're considering relaxing or changing the check for the network interface attributes, CAP_SYS_ADMIN should probably be kept for the target and initiator configuration attributes. It looks like that would work for NetworkManager, and other network configuration services that want access to that part of the iBFT. Chris -- You received this message because you are subscribed to the Google Groups "open-iscsi" group. To unsubscribe from this group and stop receiving emails from it, send an email to open-iscsi+unsubscr...@googlegroups.com. To post to this group, send email to open-iscsi@googlegroups.com. Visit this group at https://groups.google.com/group/open-iscsi. For more options, visit https://groups.google.com/d/optout.
