Le dimanche 30 novembre 2014 à 12:50 +0000, Ivan Shmakov a écrit :
> > PolicyKit rely on logind to know if a user is locally connected. A
> > non-local user won't be allowed things like network management, local
> > device mounting or sound card access.
>
> That looks like a problem to solve, not a feature.
>
> For home installs, I see no reason for the owner of the device
> to be /denied/ access to the sound card just because of using
> SSH. Why, it’s exactly what I do. (I even did things like
> $ ssh remote ogg123 /dev/stdin < local/file.ogg for various
> reasons in the past.)
PolicyKit does not control access to devices.
The case you pointed out is already handled correctly by systemd:
* Users needing full access can be added to the audio group.
* Other users only have access to audio devices through ACLs when
physically logged on.
> OTOH, for “workplace” installs, I see no reason for the user to
> be /granted/ access to the things like network management just
> because he or she happens to be logged in locally, – these
> privileges should rather be granted only to the person(s)
> responsible for that particular host. (And then again, – SSH is
> a perfectly valid way to access to these facilities.)
The nice thing about PolicyKit is that it is configurable.
In this case, you might want to ship laptops to your users and still
allow them to switch wifi networks without giving them root access. But
in the general case, there are things that make sense to forbid in a
workplace environment. It just takes a PKLA file to do so.
> IIRC, D-I used to add the first non-root user it creates (which
> more or less is bound to happen to be the owner, or the person
> otherwise responsible for the host) to a number of groups (like
> audio or plugdev) to grant access to certain devices. I know of
> no reason to abandon this practice.
This practice is still here, but it is absurd. It makes the first user
created special for no reason, failing the principle of least privilege.
If you need permanent access to this device or that feature for a given
user, you can add it to the required groups only if needed.
--
.''`. Josselin Mouette
: :' :
`. `'
`-
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/1417355600.5458.7.ca...@debian.org
