From: A. L. <a.l...@ed...> - 2004-08-10 18:45:58
|
At Tue, 10 Aug 2004 12:24:20 -0400 Ming Zhang <mi...@el...> wrote: > On Tue, 2004-08-10 at 11:41, A. Lehmann wrote: >> At Mon, 09 Aug 2004 20:25:20 -0400 Ming Zhang <mi...@el...> wrote: >> >> ( some stuff snipped) >> >> Since daemon has to deal with (networked) I/O, this seems to be >> >> a good idea. It's a security thing, like the checking values in >> >> variables. But I guess, it's tricky to implement. >> > but when u want to open a device like /dev/sda to rw. u need root >> > anyway. i am not sure in fact, there might have way to get around. >> >> This is a way to get around: >> # chown $USER:$GROUP /dev/$BLOCK_DEVICE >> # chmod 660 /dev/$BLOCK_DEVICE >> ... and $USER and $GROUP do have rw to this $BLOCK_DEVICE. >> >> just checked with a simple shell script using netcat and dd: >> >> # ali@motor:~$ nc -l -p 54321 | dd of=/dev/evms/test_stripe > anything related to security has to be very careful though. That's why I suggested this -u option. one can also think about -g <gid>; instead -u or even both, don't know what's better. > ... and change a device file may prevent other use. no - it can prevent other non-root users and not $GROUP members from access. but this, u get in addition. primary goal is making daemons possible failure (i.e. done by a malicious initiator) less "dangerous". ali |