Re: Permission denied exporting whole device

To: g <sendmailtogoran@gmail.com>
Cc: nbd@other.debian.org
Subject: Re: Permission denied exporting whole device
From: Shaun McDowell <shaunjmcdowell@gmail.com>
Date: Mon, 1 Jan 2018 11:45:51 -0500
Message-id: <[🔎] CAM1OiDMnZOJ003hU49gQ89SBVuaugf9MTjEkpQAv2Uz25=f5uw@mail.gmail.com>
In-reply-to: <[🔎] 1514823957.12962.14.camel@gmail.com>
References: <[🔎] 1514814628.12962.10.camel@gmail.com> <[🔎] 39D2E0B9-FFC5-40B8-932D-A8A0AAC79C2F@alex.org.uk> <[🔎] 1514823957.12962.14.camel@gmail.com>

If you add a supplemental group 'disk' to user 'nbd' then I believe the nbd-server should be able to read/write to the block devices. This opens up the security for the nbd-server to read/write to any disk which is up to you if that is ok security wise.

A more constrained approach could be to set up a systemd service file or upstart/init script to change the disk ownership that you want to export (preferably by label or uuid) to user=nbd group=disk and that should let the nbd-server access just that disk

On Mon, Jan 1, 2018 at 11:25 AM, g <sendmailtogoran@gmail.com> wrote:

Am Montag, den 01.01.2018, 16:05 +0000 schrieb Alex Bligh:
> Can a non-root user even read /dev/sdb?

No, but nbd-server runs as user nbd. If I change it, what will happen regarding
security?

Goran

Reply to:

References:
- Permission denied exporting whole device
  - From: g <sendmailtogoran@gmail.com>
- Re: Permission denied exporting whole device
  - From: Alex Bligh <alex@alex.org.uk>
- Re: Permission denied exporting whole device
  - From: g <sendmailtogoran@gmail.com>

Prev by Date: Re: Permission denied exporting whole device
Next by Date: Re: Permission denied exporting whole device
Previous by thread: Re: Permission denied exporting whole device
Next by thread: Re: Permission denied exporting whole device
Index(es):
- Date
- Thread