Re: Permission denied exporting whole device

To: g <sendmailtogoran@gmail.com>
Cc: Alex Bligh <alex@alex.org.uk>, nbd@other.debian.org
Subject: Re: Permission denied exporting whole device
From: Alex Bligh <alex@alex.org.uk>
Date: Mon, 1 Jan 2018 17:10:02 +0000
Message-id: <[🔎] 322E6F06-CB24-4A2C-8AE3-BD9EB1558557@alex.org.uk>
In-reply-to: <[🔎] 1514823957.12962.14.camel@gmail.com>
References: <[🔎] 1514814628.12962.10.camel@gmail.com> <[🔎] 39D2E0B9-FFC5-40B8-932D-A8A0AAC79C2F@alex.org.uk> <[🔎] 1514823957.12962.14.camel@gmail.com>

> On 1 Jan 2018, at 16:25, g <sendmailtogoran@gmail.com> wrote:
> 
> Am Montag, den 01.01.2018, 16:05 +0000 schrieb Alex Bligh:
>> Can a non-root user even read /dev/sdb?
> 
> No, but nbd-server runs as user nbd. If I change it, what will happen regarding
> security?

You need to ensure that the user that nbd runs as can access /dev/sdb if you want it to be able to export it.

The easiest way to do this would be (per Shaun's comment) to add user nbd to the disk group (assuming disk owns /dev/sdb which would be normal). The biproduct of this is that the nbd daemon would be able to read/write all raw disks (and anything else owned by user/group disk), so in the event of a vulnerability in nbd this might give a route to privilege escalation (for instance it could manually edit /etc/shadow).

-- 
Alex Bligh

Reply to:

Follow-Ups:
- Re: Permission denied exporting whole device
  - From: Wouter Verhelst <w@uter.be>

References:
- Permission denied exporting whole device
  - From: g <sendmailtogoran@gmail.com>
- Re: Permission denied exporting whole device
  - From: Alex Bligh <alex@alex.org.uk>
- Re: Permission denied exporting whole device
  - From: g <sendmailtogoran@gmail.com>

Prev by Date: Re: Permission denied exporting whole device
Next by Date: Re: Permission denied exporting whole device
Previous by thread: Re: Permission denied exporting whole device
Next by thread: Re: Permission denied exporting whole device
Index(es):
- Date
- Thread