Parted - GNU Partition Editor [PSARC/2009/145 FastTrack timeout 03/06/2009]

[Phi Tran]

James Carlson wrote:
> Nicolas Williams writes:
>> On Thu, Mar 05, 2009 at 10:50:39AM +0000, Darren J Moffat wrote:
>>> Phi Tran wrote:
>>>> I agree to the above if we tie read and write together, but I was 
>>>> thinking about the case when we want separate read and write control.
>>>> I was thinking the model could be that everyone on the console by 
>>>> default would have read privilege for parted.  The write
>>>> privilege could be controlled by the auth and be part of a separate
>>>> profile.
>>> I don't see why being on the console should be special for this, please 
>>> explain the rationale.
>> I agree.  Given the use of RBAC we automatically get the ability to
>> grant console users access to parted, if the sysadmin wants to (though I
>> seriously doubt it).
> 
> It's also not necessary for "normal" single user machine
> administration, at least on OpenSolaris.  The initial user there gets
> added with the 'Primary Administrator' profile and 'root' role.
> 

My idea was that read and write access could be decoupled which would 
allow the administrator the ability to have finer control.  A paranoid 
administrator could think that read access should be limited since more
knowledge about the partitions may be valuable to a hacker.  I'm not
saying decoupling read and write is a requirement, but it will give
the choice to the administrator.

Currently, we decided not to separate read/write access; and we will
leave that as a future option if there is more justification.

Phi