[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Draft resolution on devmapper question

On Tue, Apr 04, 2006 at 12:49:22PM -0700, Steve Langasek wrote:
> On Mon, Apr 03, 2006 at 05:08:54PM -0400, Raul Miller wrote:
> > On 4/3/06, Steve Langasek <vorlon@debian.org> wrote:
> > > Raul suggested in
> > > <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=342455;msg=15> that policy
> > > should also be amended to spell out the permissions for disk devices -- do
> > > we need to include text here which addresses that directly?

> > Perhaps the following item could be added to your draft (renumbering the
> > current item 14 as 15)

> > 14. RECOMMENDS policy be updated to reflect this determination
> > on default block device permissions.

> Thanks, added.  The updated draft is attached.

<sigh>  Trying that again. :)

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

WHEREAS

 1. It is a limitation of the current device-mapper implementation in Debian
    that all device nodes managed by libdevmapper are created with the same
    hard-coded ownership and permissions; and

 2. The standard owning group for disk device nodes is group "disk"; and

 3. The sole reason for the existence of this group on Debian systems is
    to control access to disk devices; and

 4. The majority of device-mapper nodes expose data that is already
    available to members of the disk group via the component disks; and

 5. The use of a different owning group in these cases therefore makes
    accessing the data more inconvenient but not more secure; and

 6. The exception to the above is dm-crypt, whereby device-mapper nodes
    expose data that is not available in unencrypted form from the
    component disks; and

 7. No single owning group satisfies all possible use cases for
    device-mapper; but

 8. Users of dm-crypt have the option of not adding users to the disk
    group that they do not wish to have access to their unencrypted 
    dm-crypt volumes;

THE TECHNICAL COMMITTEE:

 9. THANKS Bastian Blank for his continued maintenance of the devmapper
    package in Debian; and

10. ALSO THANKS Roger Leigh for bringing this issue before the
    committee; and

11. ENCOURAGES the devmapper maintainer to work towards support for
    configurable device-mapper device permissions in Debian; and

12. DETERMINES that the correct default permissions for all device-mapper
    nodes is root:disk 0660, with or without support for configurable device
    permissions; and

13. ASKS (with a 3:1 majority: REQUIRES) the devmapper maintainer to
    implement these permissions in unstable by applying Roger Leigh's
    patch from
    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=329409;msg=87;att=0;
    and

14. RECOMMENDS policy be updated to reflect this determination on
    default block device permissions; and

15. AUTHORIZES Roger to implement these same permissions in stable via a
    non-maintainer upload.

Attachment: signature.asc
Description: Digital signature

Reply to: