lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4FD77B94.1030207@redhat.com>
Date:	Tue, 12 Jun 2012 19:25:40 +0200
From:	Paolo Bonzini <pbonzini@...hat.com>
To:	James Bottomley <James.Bottomley@...senPartnership.com>
CC:	linux-kernel@...r.kernel.org, axboe@...nel.dk,
	linux-scsi@...r.kernel.org
Subject: Re: [PATCH] scsi: allow persistent reservations without CAP_SYS_RAWIO

Il 12/06/2012 19:20, James Bottomley ha scritto:
> I don't think you understand how persistent reservations work.
> 
> The first thing I'll say is I agree with Alan.  Unless you can justify
> why you want to relax permissions I'm not going to do it.

See my answer to John.  The reason is that I want to let VMs use
persistent reservations without running them as root.

> But secondly, the reason we're so up in arms about SCSI-3 PR is that
> there's a feature called reservation by transport ID.  This is used to
> reserve multipath devices when one of the paths is down.  Effectively it
> allows a PR-OUT command to set a reservation on any LUN with access only
> to one of them.  It's definitely a hack in the SCSI standard, but it's
> not one that can be controlled by a unix like permission model.  Write
> access to *any* LUN allows you to reserve *all* luns.

Thanks for taking the time to explain---I knew about this, but I thought
it could (perhaps should) be disabled on the SAN.  Anybody could already
use reservation by transport ID if they had root access on the local
machine, no?

Paolo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ