Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
nvme permission issues
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Unsupported Software
View previous topic :: View next topic  
Author Message
jserink
l33t
l33t


Joined: 30 Jan 2004
Posts: 932

PostPosted: Sat Feb 24, 2018 5:11 pm    Post subject: nvme permission issues Reply with quote

Hi All:

I have upgraded my laptop and the new one has a pci SSD so hddtemp doesn't work anymore in conky.
I had to unmask nvme and install that.
I can get the temperature easy as root like this:
Code:
jserinki7 /home/jserink # nvme smart-log /dev/nvme0 | grep "^temperature" | cut -c39-42
48 C


You can see, it works perfect.
Now, I have added myself and the command to my sudoers file like this:
Code:
# ALL ALL=(ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'
jserink jserinki7 = NOPASSWD:/usr/sbin/iw
jserink jserinki7 = NOPASSWD:/usr/sbin/nvme
Defaults !syslog, !pam_session
## Read drop-in files from /etc/sudoers.d


You can see I also have iw in there to read wifi status for conky.

Anyhow, while testing this while NOT root:
Code:
jserink@jserinki7 ~ $ /usr/sbin/nvme version
nvme version 1.5


Its not throwing an error like before the addition to sudoers.
But.....
Code:
jserink@jserinki7 ~ $ /usr/sbin/nvme list


As root:
Code:
jserinki7 /home/jserink # nvme list
Node             SN                   Model                                    Namespace Usage                      Format           FW Rev
---------------- -------------------- ---------------------------------------- --------- -------------------------- ---------------- --------
/dev/nvme0n1     EJ7AN48171040AA11    PC300 NVMe SK hynix 512GB                1         512.11  GB / 512.11  GB    512   B +  0 B   20005A00


Why doesn't that work?

I have given read permissions to the associate /dev entries as such:
Code:
crw-r--r-- 1 root root 246,   0 Feb 25  2018 /dev/nvme0
brw-rw-r-- 1 root disk 259,   0 Feb 25  2018 /dev/nvme0n1
brw-rw-r-- 1 root disk 259,   1 Feb 25  2018 /dev/nvme0n1p1
brw-rw-r-- 1 root disk 259,   2 Feb 24 22:04 /dev/nvme0n1p2
brw-rw-r-- 1 root disk 259,   3 Feb 25  2018 /dev/nvme0n1p3
brw-rw-r-- 1 root disk 259,   4 Feb 24 22:04 /dev/nvme0n1p4
crw------- 1 root root  10, 144 Feb 25  2018 /dev/nvram

Which at least got me this far.
Here is the problem I am worried about:

Code:
jserink@jserinki7 ~ $ /usr/sbin/nvme smart-log /dev/nvme0 | grep "^temperature" | cut -c39-42
smart log: Permission denied


So, what in the system to I have to provide read rights so that a normal user can read this?
I searched for this "smart log" and there is nothing there by that name.

Ideas?

Cheers,
john

[Moderator edit: added [code] tags to preserve output layout. -Hu]
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5727

PostPosted: Sat Feb 24, 2018 7:45 pm    Post subject: Reply with quote

You need write access to issue smart read ioctls in the first place.

Note that you've now given all unprivileged users full read access to the entire SSD.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 43015
Location: 56N 3W

PostPosted: Sat Feb 24, 2018 8:37 pm    Post subject: Reply with quote

Ant P.

Its probably safer to set the suid bit on /usr/sbin/nvme, so it runs as root.
That's ugly too.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
jserink
l33t
l33t


Joined: 30 Jan 2004
Posts: 932

PostPosted: Sun Feb 25, 2018 4:36 am    Post subject: Reply with quote

Ant P. wrote:
You need write access to issue smart read ioctls in the first place.

Note that you've now given all unprivileged users full read access to the entire SSD.

Well spotted. I'll change this to be just for user jserink.

The write access is a fly in the ointment here....
I have to read up more on this. Read access for a single user is ok in my mind but write access?

I need to figure out a way to get the temp without having to grant write access.

Cheers,
John
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13745

PostPosted: Sun Feb 25, 2018 5:35 am    Post subject: Reply with quote

No, even read access for unprivileged users is wrong. Read access to a block device containing a filesystem is functionally equivalent to giving that user/group read access to every single file in the filesystem, since the user can read the raw block device to get file contents without accessing the filesystem and passing permission checks.
Back to top
View user's profile Send private message
bunder
Bodhisattva
Bodhisattva


Joined: 10 Apr 2004
Posts: 5834

PostPosted: Sun Feb 25, 2018 5:52 am    Post subject: Reply with quote

I think the saner option would be to add nvme support to hddtemp
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Unsupported Software All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum