On 03/12/14 14:46, Svante Signell wrote: > On Wed, 2014-12-03 at 14:25 +0100, Vincent Bernat wrote: >> The problem with those groups is that they are not fine grained >> enough. > > If more granularity is needed, what's hindering introduction of even > more groups: like an image group and splitting the fb0 to more devices? > Or even subdirectories like /dev/snd/* for audio etc.
This does not actually solve the same problem as logind's "uaccess", or ConsoleKit's "udev ACL" (which was an older version of the same general idea): it just splits it up into a larger number of orthogonal instances of the same problem, which is that group membership makes a poor encoding for temporary permissions. A normal user with no special privileges should be able to access the webcam on a PC if and only if they are physically sitting at that PC: they should not be forbidden from using it altogether, but neither should they be able to log in via ssh and spy on the PC's current user. Granting privileges based on groups can only reliably give you access all the time (including ssh or other remote logins) or none of the time; it cannot give you access only while you are logged in locally. logind's "uaccess" and ConsoleKit's "udev ACLs" both work by tagging device nodes with a marker that means "this should be available to locally-logged-in users"; whenever a user logs in for the first time (as detected by a PAM module), putting POSIX ACLs on those tagged device nodes that give access to that user; and whenever a user logs out for the last time (PAM again), removing those ACLs again. It looks like this: # file: dev/video0 # owner: root # group: video user::rw- user:smcv:rw- group::rw- mask::rw- other::--- FAQ which someone will bring up at this point unless I specifically mention it: but what about pam_group? Answer: anyone with write access to any filesystem that is not mounted nosuid (let's say it's /var/tmp) can make their temporary group-based privileges permanent. Suppose I get placed in group video when I log in locally, but not when I log in via ssh. Then I can do this: # while logged in locally, and thus granted access to gid video cp /bin/dash /var/tmp/my-video-shell chgrp video /var/tmp/my-video-shell chmod g+s /var/tmp/my-video-shell # later, via ssh or something /var/tmp/my-video-shell -c eavesdrop-via-the-webcam & And yes, in principle we could bind-mount /tmp, /dev/shm, /var/tmp, /run/lock, /home, ... over themselves to make them nosuid if they are not already - but that's relatively complex, would "fail open" if we miss an a+w directory in /srv or something, potentially breaks existing desired functionality like ikiwiki's optional setuid wrappers, and we don't need it because we already have at least two working implementations of the ACL solution. S -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/547f4088.8030...@debian.org