Re: make lvol read only

Mike Tufariello · ‎06-29-2006

I noticed in SAM under Disk and File Systems, under Logocal volumes, after selecting an lvol, under Actions, is the modify option. And under the modify option is the access permissions box where Read Only can be selected. Is this as obvious as it seems. That all files and data on this lvol will be read only is the option is selected ?

I have multiple databases that the users should have "read only" access to located in one lvol. Is this a way to protect the data?

Thanks,

James R. Ferguson · ‎06-29-2006

Hi Mike:

You would mount the filesystem read-only. See the manpages for 'mount(1M)'.

# man 1M mount
# man 1M mount_vxfs

Regards!

...JRF...

Mridul Shrivastava · ‎06-29-2006

mount is the best option to use if you want to give read only to a file system.

If lvol is raw and you are not going to create any file system on it then you can change the permission to that lvol device to read only 755 ( give write access to root only).

Time has a wonderful way of weeding out the trivial

Torsten. · ‎06-29-2006

Hi Mike,

in fact this SAM option is changing the mount command to do a "read-only" mount - mount -r.

See "man 1m mount" as mentioned.

No way to protect a LVOL, but you can protect a whole VG by vgchange in read only mode.

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!

A. Clay Stephenson · ‎06-29-2006

When a filesystem is mounted (either on a device node that represents a physical disk, an array LUN, or a device abstraction such as a logical volume) the permissions of the underlying device node no longer matter -- as long as the device node permissions (more properly the mode of the device node) permit the mount operation itself. The mode of the filesystem's root directory (inode 2) then determine what operations are permitted.

However, in the case where an LVOL is used as a raw character or block device (ie, no filesystem is mounted) then the mode of the device node does directly matter so that setting the device node to read-only would have exactly that effect -- except for those processes running under an effective UID of zero. In that case (as with filesystems) permissions don't matter when root is in the house.

If it ain't broke, I can fix that.

Mike Tufariello · ‎07-05-2006

Thanks to all. I've been away for a few days.

So let me see if I understand.

I can use SAM to change the file system, mounted on the lvol to read only, but not the lvol itself?

By selecting read only under the "Modify a Local File System" screen in SAM I would be doing the same thing as an umount and mount at the command line?

Thanks,

Torsten. · ‎07-05-2006

SAM will force a

mount -r /dev...

instead of

mount /dev...

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!

Mike Tufariello · ‎07-05-2006

Thanks Torsten.

So I take that as a yes to my questions?

A. Clay Stephenson · ‎07-05-2006

Bear in mind that the mode (permissions) of a file or directory (even if this directory is the root directory of a filesystem) are completely ignored if the effective UID of a user is 0 (ie, root). This means that even if the permissions were read-only, a super-user can still write to the file or directory. The only way to make a filesystem read-only for all users is to mount -r. An exception to this rule is if the physical media itself is read-only (e.g. a CDROM); obviously, even if mounted read-write, even a super-user could not write to such a medium.

You are really adding a layer of obfuscation when you add SAM to this question because SAM (at most) can only do what the underlying commands and system calls allow it to do.

If it ain't broke, I can fix that.

Mike Tufariello · ‎07-05-2006

So are you saying not to use SAM.

At this point we would prefer that only root have write access to the file systems.

The file systems in question are already mounted. Are you saying to umount them, then mount them with the -r option at the command line? And then even root will have read only access?

Josiah Henline · ‎07-05-2006

You do not want to use sam or mount the file system read only if you want root to be able to write to the file system. Mounting a file system as read only take root write access away from the file system and root will only be able to read and execute.

If at first you don't succeed, read the man page.

Marvin Strong · ‎07-05-2006

Your saying these are databases, why don't you use the database itself make the data read only instead of the OS?

Certainly you can mount the filesystems assuming they are filesystem databases read only.

Or in the case of a raw lvol make the permissions 444. But be aware as stated above root could still write.

Mike Tufariello · ‎07-21-2006

Thanks for all the feedback.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: make lvol read only

make lvol read only