View previous topic :: View next topic |
Author |
Message |
jserink Veteran
Joined: 30 Jan 2004 Posts: 1008
|
Posted: Sat Feb 24, 2018 5:11 pm Post subject: nvme permission issues |
|
|
Hi All:
I have upgraded my laptop and the new one has a pci SSD so hddtemp doesn't work anymore in conky.
I had to unmask nvme and install that.
I can get the temperature easy as root like this:
Code: | jserinki7 /home/jserink # nvme smart-log /dev/nvme0 | grep "^temperature" | cut -c39-42
48 C |
You can see, it works perfect.
Now, I have added myself and the command to my sudoers file like this:
Code: | # ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw'
jserink jserinki7 = NOPASSWD:/usr/sbin/iw
jserink jserinki7 = NOPASSWD:/usr/sbin/nvme
Defaults !syslog, !pam_session
## Read drop-in files from /etc/sudoers.d |
You can see I also have iw in there to read wifi status for conky.
Anyhow, while testing this while NOT root:
Code: | jserink@jserinki7 ~ $ /usr/sbin/nvme version
nvme version 1.5 |
Its not throwing an error like before the addition to sudoers.
But.....
Code: | jserink@jserinki7 ~ $ /usr/sbin/nvme list |
As root:
Code: | jserinki7 /home/jserink # nvme list
Node SN Model Namespace Usage Format FW Rev
---------------- -------------------- ---------------------------------------- --------- -------------------------- ---------------- --------
/dev/nvme0n1 EJ7AN48171040AA11 PC300 NVMe SK hynix 512GB 1 512.11 GB / 512.11 GB 512 B + 0 B 20005A00 |
Why doesn't that work?
I have given read permissions to the associate /dev entries as such:
Code: | crw-r--r-- 1 root root 246, 0 Feb 25 2018 /dev/nvme0
brw-rw-r-- 1 root disk 259, 0 Feb 25 2018 /dev/nvme0n1
brw-rw-r-- 1 root disk 259, 1 Feb 25 2018 /dev/nvme0n1p1
brw-rw-r-- 1 root disk 259, 2 Feb 24 22:04 /dev/nvme0n1p2
brw-rw-r-- 1 root disk 259, 3 Feb 25 2018 /dev/nvme0n1p3
brw-rw-r-- 1 root disk 259, 4 Feb 24 22:04 /dev/nvme0n1p4
crw------- 1 root root 10, 144 Feb 25 2018 /dev/nvram
|
Which at least got me this far.
Here is the problem I am worried about:
Code: | jserink@jserinki7 ~ $ /usr/sbin/nvme smart-log /dev/nvme0 | grep "^temperature" | cut -c39-42
smart log: Permission denied |
So, what in the system to I have to provide read rights so that a normal user can read this?
I searched for this "smart log" and there is nothing there by that name.
Ideas?
Cheers,
john
[Moderator edit: added [code] tags to preserve output layout. -Hu] |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Sat Feb 24, 2018 7:45 pm Post subject: |
|
|
You need write access to issue smart read ioctls in the first place.
Note that you've now given all unprivileged users full read access to the entire SSD. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54220 Location: 56N 3W
|
Posted: Sat Feb 24, 2018 8:37 pm Post subject: |
|
|
Ant P.
Its probably safer to set the suid bit on /usr/sbin/nvme, so it runs as root.
That's ugly too. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
jserink Veteran
Joined: 30 Jan 2004 Posts: 1008
|
Posted: Sun Feb 25, 2018 4:36 am Post subject: |
|
|
Ant P. wrote: | You need write access to issue smart read ioctls in the first place.
Note that you've now given all unprivileged users full read access to the entire SSD. |
Well spotted. I'll change this to be just for user jserink.
The write access is a fly in the ointment here....
I have to read up more on this. Read access for a single user is ok in my mind but write access?
I need to figure out a way to get the temp without having to grant write access.
Cheers,
John |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21607
|
Posted: Sun Feb 25, 2018 5:35 am Post subject: |
|
|
No, even read access for unprivileged users is wrong. Read access to a block device containing a filesystem is functionally equivalent to giving that user/group read access to every single file in the filesystem, since the user can read the raw block device to get file contents without accessing the filesystem and passing permission checks. |
|
Back to top |
|
|
bunder Bodhisattva
Joined: 10 Apr 2004 Posts: 5934
|
Posted: Sun Feb 25, 2018 5:52 am Post subject: |
|
|
I think the saner option would be to add nvme support to hddtemp |
|
Back to top |
|
|
|