5.99.42/sparc64 - lvm2: permissions for operator use of lvm(8)

To: current-users%netbsd.org@localhost
Subject: 5.99.42/sparc64 - lvm2: permissions for operator use of lvm(8)
From: Martin Mersberger <gremlin%portal-to-web.de@localhost>
Date: Thu, 30 Dec 2010 10:47:40 +0100

Hi folks,

AFAIK, some of the last changes on lvm2 have been in context to give
some sort of read-only access to operators.
By now, there are some minor permission problems, which prevent users in
the operator group to get some (requested) output from lvm(8)

it's mostly around /var/lock, as lvm tries to set locks in /var/lock/lvm

It works as intended, if:
  /var/lock is 0710 and owned by root:operator    (0710 to avoid, that
operator users can lock out root..)
AND
  /var/lock/lvm is 0770 and also owned by root:operator
AND
 /dev/mapper/control is 0660 and also owned by root:operator (it works
also with 0640, but then, an amount of permission denied messages appear
before)


Using this settings, I'm able to view the lvm details like
 pvs/pvdisplay, vgs/vgdisplay, lvs/lvdisplay, but I can't modify things
ie using /(pv|vg|lv)(create|resize|remove)/

There is one minor thing still open - if ie. vgs is issued, it tries to
create an archive entry into /etc/lvm/archive and update
/etc/lvm/backup/<volume group name>, but this should not done anyway by
an operator user. So the permissions in /etc/lvm are fine.

If those backup/archive routines within lvm(8) are not executed for
operator users, the 'Couldn't create temp archive' and 'Backup of volume
metadata' messages would disappear as well


regards
  Martin

Follow-Ups:
- Re: 5.99.42/sparc64 - lvm2: permissions for operator use of lvm(8)
  - From: Adam Hamsik

Prev by Date: daily CVS update output
Next by Date: Re: 5.99.42/sparc64 - lvm2: permissions for operator use of lvm(8)
Previous by Thread: daily CVS update output
Next by Thread: Re: 5.99.42/sparc64 - lvm2: permissions for operator use of lvm(8)
Indexes:

Home | Main Index | Thread Index | Old Index