[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#342455: tech-ctte: Ownership and permissions of device mapper block devices

Bastian Blank writes ("Re: Bug#342455: tech-ctte: Ownership and permissions of device mapper block devices"):
> On Tue, Dec 13, 2005 at 03:55:01PM +0000, Ian Jackson wrote:
> > [Raul Miller:]
> > > 1) change devmapper defaults -- patch rejected, no reason given
> > Certainly I agree that the defaults should be changed.
> At least in my point of view, a default is something which can be
> changed easily, maybe in a config file. In this case, it is no default,
> it is the value which anything gets.

You seem to be saying that there is no way to override the setting.
Which proposed setting are you talking about here - the change in the
call to configure, or some other change ?

How do you think this problem should be solved ?

> > > I've also seen the suggestion that we should have a explicit
> > > technical policy that block devices should default to having 660
> > > permissions with owner root and group disk.  [...]
> This breaks anything which wants to use group cdrom for cdrom access
> without manual intervention.

Obviously the policy language would have to be carefully worded to
ensure that it applied to disks and not (eg) to cdrom devices.

> > > Finally, I don't see any reasoning given for things being the
> > way they are > currently.  There might be some such reason, but
> > I'm a bit dubious -- > if there was a good reason, why wasn't it
> > spelled out months ago?
> "Secure by default" is no reason? You can always overwrite it on
> runtime.

Are you saying that the current default permissions on (eg) /dev/hda*
are insecure and therefore wrong ?  If they are, what significant good
does it do to make the lvm devices inaccessible to group disk (since
it is possible to avoid going through LVM to access the disks

> > I agree, if we can settle my quibble about group-write.
> If the upper don't apply, 666 is also a valid setting.

This is some kind of straw man.

Is the problem with your participation in this discussion that English
isn't your native language ?  If not, please let us know and perhaps
we can get someone to help translate.


Reply to: