Re: Permission denied exporting whole device
On Mon, Jan 01, 2018 at 05:10:02PM +0000, Alex Bligh wrote:
>
> > On 1 Jan 2018, at 16:25, g <sendmailtogoran@gmail.com> wrote:
> >
> > Am Montag, den 01.01.2018, 16:05 +0000 schrieb Alex Bligh:
> >> Can a non-root user even read /dev/sdb?
> >
> > No, but nbd-server runs as user nbd. If I change it, what will happen regarding
> > security?
>
> You need to ensure that the user that nbd runs as can access /dev/sdb if you
> want it to be able to export it.
>
> The easiest way to do this would be (per Shaun's comment) to add user nbd to
> the disk group (assuming disk owns /dev/sdb which would be normal).
That's actually Debian-specific (RedHat doesn't do it, when last I checked).
Additionally, the groups that a user is a member of is not relevant as far as
nbd-server is concerned, since it uses plain setuid() and setgid() calls to set
the user and group.
You can, however:
- Either change the group= setting in nbd-server.conf to the disk group (if
that's the group you need)
- Or change your udev configuration to change the group permissions on
the device you want to export so that nbd-server can access it.
Note that write permissions are not needed if you want to perform a
copy-on-write or read-only export (but read permissions obviously are).
--
Could you people please use IRC like normal people?!?
-- Amaya Rodrigo Sastre, trying to quiet down the buzz in the DebConf 2008
Hacklab
Reply to: