[LU-17569] move HSM capabilities to CAP_SYS_RESOURCE - Whamcloud Community JIRA

Details

Type: Improvement
Resolution: Unresolved
Priority: Minor
Fix Version/s: None
Affects Version/s: None
Labels:
None

Severity:
3
Rank (Obsolete):
9223372036854775807

Description

Most of the HSM, quota, and remote directory operations are checking CAP_SYS_ADMIN, which is a grab-bag of different administrative capabilities. It would be more useful and secure to use CAP_SYS_RESOURCE to control access to this functionality, since these are directly related to managing storage capacity and allocation.

/* Override resource limits. Set resource limits. */
/* Override quota limits. */
/* Override reserved space on ext2 filesystem */
/* Modify data journaling mode on ext3 filesystem (uses journaling
   resources) */
:
:
#define CAP_SYS_RESOURCE     24

Attachments

Issue Links

is related to

LU-17410 Add per-nodemap capabilities mask

Open

Activity

[LU-17569] move HSM capabilities to CAP_SYS_RESOURCE

Gerrit Updater added a comment - 21/Feb/24 1:15 AM

"Andreas Dilger <adilger@whamcloud.com>" uploaded a new patch: https://review.whamcloud.com/c/fs/lustre-release/+/54119
Subject: LU-17569 misc: use CAP_SYS_RESOURCE for HSM/quota/DNE
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: c1cf9f3dc87e46fafb11f33221bab9e3df366543

Gerrit Updater added a comment - 21/Feb/24 1:15 AM "Andreas Dilger <adilger@whamcloud.com>" uploaded a new patch: https://review.whamcloud.com/c/fs/lustre-release/+/54119 Subject: LU-17569 misc: use CAP_SYS_RESOURCE for HSM/quota/DNE Project: fs/lustre-release Branch: master Current Patch Set: 1 Commit: c1cf9f3dc87e46fafb11f33221bab9e3df366543

People

Assignee:: Andreas Dilger

Reporter:: Andreas Dilger

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 20/Feb/24 11:47 PM

Updated:: 04/Apr/24 7:41 PM