| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 12 Jun 2012 20:39:21 +0200 From: Paolo Bonzini <pbonzini@...hat.com> To: James Bottomley <James.Bottomley@...senPartnership.com> CC: linux-kernel@...r.kernel.org, axboe@...nel.dk, linux-scsi@...r.kernel.org Subject: Re: [PATCH] scsi: allow persistent reservations without CAP_SYS_RAWIO Il 12/06/2012 20:02, James Bottomley ha scritto: >> > Thanks for taking the time to explain---I knew about this, but I thought >> > it could (perhaps should) be disabled on the SAN. Anybody could already >> > use reservation by transport ID if they had root access on the local >> > machine, no? > No ... it's required for multipath to work correctly and multipath is a > usual enterprise feature. > > The only way around this is either to trust your users or not to give > out root ... and most data centres choose the latter. It causes real > pain from NPIV and SR-IOV ... I can imagine... my impression was that it would only affect whatever LUNs the zoning allowed access to (NPIV is pretty much required to use persistent reservations on guests, or guests will all share the same WWN). Would it be acceptable to restrict access to PR OUT with ALL_TG_PT set, and allow it freely without the flag? Paolo -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists