On 01/26/15 21:04, Lennart Poettering wrote: > On Mon, 26.01.15 17:07, Topi Miettinen (toiwo...@gmail.com) wrote: > >> On 01/26/15 12:41, Simon McVittie wrote: >>> On 24/01/15 10:09, Topi Miettinen wrote: >>>> For example, smartd only needs access to /dev/sd*. >>> >>> Let me spell that differently: smartd "only" needs the ability to make >>> arbitrary filesystem changes, defeating any possible configurable >>> security mechanism. >> >> Not exactly: it only needs read access. Depending on the system, that >> could be very different from being able to make arbitrary filesystem >> changes. > > Sending SMART requests requires the same priviliges as issue direct > low-level write requests to my knowledge, hence I'd say simon is right.
CAP_SYS_RAWIO, yes. Only read access is needed otherwise: DevicePolicy=closed DeviceAllow=block-sd r DeviceAllow=/dev/sda r DeviceAllow=/dev/sdb r works fine here. Probably CAP_SYS_RAWIO can be used to circumvent the lack of write access, though. -Topi > > Lennart > _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
