Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: 5.99.42/sparc64 - lvm2: permissions for operator use of lvm(8)

On Dec,Thursday 30 2010, at 10:47 AM, Martin Mersberger wrote:

> Hi folks,
> AFAIK, some of the last changes on lvm2 have been in context to give
> some sort of read-only access to operators.
> By now, there are some minor permission problems, which prevent users in
> the operator group to get some (requested) output from lvm(8)
> it's mostly around /var/lock, as lvm tries to set locks in /var/lock/lvm
> It works as intended, if:
>  /var/lock is 0710 and owned by root:operator    (0710 to avoid, that
> operator users can lock out root..)
>  /var/lock/lvm is 0770 and also owned by root:operator
> /dev/mapper/control is 0660 and also owned by root:operator (it works
> also with 0640, but then, an amount of permission denied messages appear
> before)

Work around can be use --ignorelockingfailure flag for lvm tools

lvm  lvs --ignorelockingfailure
  LV    VG     Attr   LSize   Origin Snap%  Move Log Copy%  Convert
  devel vgdata -wi-a- 150.00g                                      
  srv   vgdata -wi-a-  10.00g 

This needs little bit more discussion lets wait for others what they thing. 

> Using this settings, I'm able to view the lvm details like
> pvs/pvdisplay, vgs/vgdisplay, lvs/lvdisplay, but I can't modify things
> ie using /(pv|vg|lv)(create|resize|remove)/

That's fine.

> There is one minor thing still open - if ie. vgs is issued, it tries to
> create an archive entry into /etc/lvm/archive and update
> /etc/lvm/backup/<volume group name>, but this should not done anyway by
> an operator user. So the permissions in /etc/lvm are fine.
> If those backup/archive routines within lvm(8) are not executed for
> operator users, the 'Couldn't create temp archive' and 'Backup of volume
> metadata' messages would disappear as well

I'm not sure what was historical behavior but to me it looks like operator 
should be able to create backup of lvm configuration.



Home | Main Index | Thread Index | Old Index