On Tue, Jul 10, 2018 at 2:53 PM Tony Battersby <tonyb@xxxxxxxxxxxxxxx> wrote: > > At my job (https://www.cybernetics.com/), I use the write()/read() > interface to the SCSI generic driver for access to tape drives and tape > medium changers. For example, the write()/read() interface is useful > for implementing RAID-like functionality for tape drives since a single > thread can send commands to multiple tape drives at once and poll() for > command completion. Ugh. > We have a lot of code invested in this interface, > so it would be a huge pain for us if it were removed. But in our case, > everything runs as root (as the firmware of an embedded storage > appliance), so extra permission checks should be OK. I wonder if we could make the warning literally about not having CAP_SYS_RAWIO on the file descriptor. Because the /dev/sg interfaces don't even do the kind of command filtering that the SG_IO code does. The SG_IO code (well, at least the block/scsi_ioctl.c code - again /dev/sg does NOT get it right!) actually has a whitelist of commands that have known behavior, and that can be done by normal users when you open a device. To actually do _arbitrary_ commands, you have to have CAP_SYS_RAWIO. And there we check the _current_ capabilities (not the file descriptor one), because an ioctl isn't something you just fool a random suid program into doing for you. So /dev/sg really has serious issues. Not just the read/write part, but even the SG_IO part is broken right now (sg_new_write() actually does do blk_verify_command(), but only for read-only opens for some reason). Linus
