From: Paolo Bonzini <pbonzini@redhat.com>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>,
linux-kernel@vger.kernel.org, axboe@kernel.dk,
linux-scsi@vger.kernel.org
Subject: Re: [PATCH] scsi: allow persistent reservations without CAP_SYS_RAWIO
Date: Tue, 12 Jun 2012 18:54:16 +0200 [thread overview]
Message-ID: <4FD77438.6090202@redhat.com> (raw)
In-Reply-To: <4FD76D57.5020709@redhat.com>
Il 12/06/2012 18:24, Paolo Bonzini ha scritto:
> Il 12/06/2012 18:21, James Bottomley ha scritto:
>>>> Persistent reservations commands cannot be issued right now without
>>>> giving CAP_SYS_RAWIO to the process who wishes to send them. This
>>>> is a bit heavy-handed, allow these two commands.
>>
>> Why is this heavy handed? If you remove CAP_SYS_RAWIO, any userspace
>> process can send these, which would allow any user to completely disrupt
>> a SAN by injecting spurious reservations ... that doesn't look to be
>> terribly safe for an operating system running in a data centre.
>
> It is heavy-handed because:
>
> 1) there are still other protections such as DAC (both Unix permissions
> and ACLs) and SELinux; CAP_SYS_RAWIO is effectively the same as root.
>
> 2) if any user could disrupt the SAN by injecting spurious reservations
> just by having his laptop's root password, that data centre wouldn't be
> terribly safe to begin with.
3) assume that with this patch user X could disrupt the SAN by injecting
spurious reservations, e.g. forbidding another user from writing some
data. Then they could also destroy those same data even without this
patch, which is just as disrupting.
This is because you still need write permission to the device to issue
reservations. Read permission will only let you use PERSISTENT RESREVE IN.
Paolo
next prev parent reply other threads:[~2012-06-12 16:54 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-06-12 16:08 [PATCH] scsi: allow persistent reservations without CAP_SYS_RAWIO Paolo Bonzini
2012-06-12 16:21 ` James Bottomley
2012-06-12 16:24 ` Paolo Bonzini
2012-06-12 16:54 ` Paolo Bonzini [this message]
2012-06-12 17:20 ` James Bottomley
2012-06-12 17:25 ` Paolo Bonzini
2012-06-12 18:02 ` James Bottomley
2012-06-12 18:39 ` Paolo Bonzini
2012-06-12 16:55 ` Alan Cox
2012-06-12 17:08 ` Paolo Bonzini
2012-06-12 18:52 ` Can we pass a file handle down to the block ioctls to implement per file filters on scsi SG_IO ? Alan Cox
2012-06-12 19:13 ` Paolo Bonzini
2012-06-12 17:08 ` [PATCH] scsi: allow persistent reservations without CAP_SYS_RAWIO John Stoffel
2012-06-12 17:13 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4FD77438.6090202@redhat.com \
--to=pbonzini@redhat.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=axboe@kernel.dk \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).