[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20130809215449.GB21756@kroah.com>
Date: Fri, 9 Aug 2013 14:54:49 -0700
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: Bob Smith <bsmith@...uxtoys.org>
Cc: Arnd Bergmann <arnd@...db.de>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 001/001] CHAR DRIVERS: a simple device to give daemons a
/sys-like interface
On Wed, Aug 07, 2013 at 02:53:50PM -0700, Bob Smith wrote:
> Greg Kroah-Hartman wrote:
> >>The proxy device nodes are application specific and need to be
> >>created as needed by applications.
> >
> >But applications do not have the permissions in a system to create
> >device nodes. Nor should they need that permission.
>
> Agreed. But you need root permissions to install an application
> and part of that installation can be setting up systemd files
> that allocate resources at boot.
Do you have examples of those systemd files? Last I looked, they didn't
have mknod permissions anymore, which is a good thing.
> Also, some applications start as root just so they can do this kind of
> allocation. The app can (and should) drop root privileges when it
> can.
You shouldn't require root for a new feature, that seems strange.
Also, namespaces aren't addressed at all, but that's a totally different
issue...
> >>Allocation of minor numbers is an issue but that is an issue that
> >>is separate from the proxy module itself.
> >How is it separate, it seems tied directly to it as something that must
> >be handled properly.
> It can, but does not need to be handled in the kernel. It could
> be handled in user space.
>
> >
> >>> Also, no, setting the permissions like this is not ok for a real system,
> >>> what is going to be in charge of setting the permissions on these random
> >>> device nodes?
> >> Again, compare proxy to a named pipe. It is up the application
> >> writer to decide who gets read and write access to its proxy
> >> nodes.
> >
> > Ok, but to do so, you have to have root permissions to start with, which
> > is generally not going to happen on sane systems. Only allowing root
> > access to this seems like a huge limitation.
>
> As noted above, yes, root has to set it up and set the permissions,
> but this is hardly unusual, is it?
Yes it is, modern userspace does not create any device nodes anymore,
please let's not regress on that point.
thanks,
greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists