Re: mdadm --monitor as non-root ?

Re: mdadm --monitor as non-root ?

[NeilBrown]

[-- Attachment #1: Type: text/plain, Size: 3232 bytes --]

On Thu, 22 Dec 2011 14:28:15 +0100 Raphael Hertzog <hertzog@debian.org> wrote:

> Hello,
> 
> I'm interested in having desktop notifications for change in the status
> of my RAID devices and I saw your comment here:
> http://neil.brown.name/blog/20090129234603-021
> 
> Unfortunately that doesn't work well in practice. The monitoring program
> must be run from the user's session and apparently mdadm --monitor
> only works as root:
> $ mdadm --monitor --no-sharing --alert notify-send
> mdadm: must be super-user to perform this action
> 
> Is there a way to let mdadm do the monitoring for us without requiring
> root rights?

That is reasonable.  The next release of mdadm (later today) will not impose
that limitation - patch below.

Unfortunately the kernel does impose a limitation.  I'll fix it for 3.3, but
until then you will need to apply the second patch below.


> 
> Cheers,
> 
> PS: Is there a better place for this kind of feature requests ? Feel
> free to forward this mail to record it there (should it exist).

Best place is linux-raid@vger.kernel.org (you don't need to subscribe).  I've
Cced this reply there.

Thanks,
NeilBrown



From ba3903d416524e0fb002eca971ce6026e5f2c3af Mon Sep 17 00:00:00 2001
From: NeilBrown <neilb@suse.de>
Date: Fri, 23 Dec 2011 07:42:23 +1100
Subject: [PATCH] allow --monitor to be run by non-privileged use.

Providing --no-sharing is given, monitoring should be permitted.

Unfortunately the kernel current rejects GET_DISK_INFO and
GET_ARRAY_INFO for non-privileged users which is unjustified.
The info is available in sysfs and we could get it from there,
but for now, require the kernel to be fixed.

Reported-by: Raphael Hertzog <hertzog@debian.org>
Signed-off-by: NeilBrown <neilb@suse.de>

diff --git a/mdadm.c b/mdadm.c
index c6a887a..f07fac2 100644
--- a/mdadm.c
+++ b/mdadm.c
@@ -1209,7 +1209,8 @@ int main(int argc, char *argv[])
 		require_homehost = 0;
 	}
 
-	if ((mode != MISC || devmode != 'E') &&
+	if (!((mode == MISC && devmode == 'E')
+	      || (mode == MONITOR && spare_sharing == 0)) &&
 	    geteuid() != 0) {
 		fprintf(stderr, Name ": must be super-user to perform this action\n");
 		exit(1);



From b56ca899650a7ad4f40b2986086f411286e90c4a Mon Sep 17 00:00:00 2001
From: NeilBrown <neilb@suse.de>
Date: Fri, 23 Dec 2011 07:46:36 +1100
Subject: [PATCH] md: allow non-privileged uses to GET_*_INFO about raid
 arrays.

The info is already available in /proc/mdstat and /sys/block in
an accessible form so there is no point in putting a road-block in
the ioctl for information gathering.

Signed-off-by: NeilBrown <neilb@suse.de>

diff --git a/drivers/md/md.c b/drivers/md/md.c
index 9dfa2d1..87022b5 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -6129,8 +6129,15 @@ static int md_ioctl(struct block_device *bdev, fmode_t mode,
 	struct mddev *mddev = NULL;
 	int ro;
 
-	if (!capable(CAP_SYS_ADMIN))
-		return -EACCES;
+	switch (cmd) {
+	case RAID_VERSION:
+	case GET_ARRAY_INFO:
+	case GET_DISK_INFO:
+		break;
+	default:
+		if (!capable(CAP_SYS_ADMIN))
+			return -EACCES;
+	}
 
 	/*
 	 * Commands dealing with the RAID driver but not any

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 828 bytes --]