>>>>> Vincent Bernat <ber...@debian.org> writes:
>>>>> ❦ 3 décembre 2014 16:47 GMT, Ivan Shmakov <i...@siamics.net> :
>>> The problem with those groups is that they are not fine grained
>>> enough. For example, the video group gives access to the
>>> framebuffer device (the user can do a screenshot) or to a webcam
>>> (the user can spy another user). By encouraging the use of those
>>> groups, we create big security hole.
>> Do these security considerations still apply to single-user,
>> single-seat systems?
> Yes.
Namely?
> We don't "chmod -R a+rwx /" for a good reason.
That makes, like, an order of magnitude difference.
The former allows the machine’s owner access to audio devices
irrespective of /how/ he or she choose to initiate such access.
(Say, I may decide to start ogg123(1) via at(1) to wake me up in
the morning.) Using Logind there is akin to only allowing user
access to $HOME while being “physically” logged in. (Or do we
consider that a valid restriction as well?)
On the contrary, the latter would allow for purely accidental
damage to the system, with no big obvious advantages I could
readily think of.
--
FSF associate member #7257 np. Satellite 15… The Final Frontier — Iron Maiden
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87vblso6o5....@violet.siamics.net
