Your message dated Mon, 24 Jan 2011 10:12:03 +0100
with message-id <[email protected]>
and subject line Re: Bug#610696: udev: Udev changes device file ACLs and
depends on consolekit
has caused the Debian Bug report #610696,
regarding udev: Udev changes device file ACLs and depends on consolekit
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
610696: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610696
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: udev
Version: 164-3
Severity: normal
Hi,
udev contains support for consolekit. The rule file 70-acl.rules and
/lib/udev/udev-acls change the ACLs of certain device files to give local users
access.
I consider this a serious security problem. I have a guest account to let others
use my system. When they log in, they automatically gain access to these
devices. And they can keep this access even after logout, if they so wish, by
starting a background job that keeps the device open. Think: camera and
microphone.
Consolekit is broken by design and there is no way of fixing these security
implications. The only real fix is, to not use consolekit, and stick with the
traditional scheme of letting root decide who gets permissions for what.
Consolekit takes away this control from root. In my opinion, root should always
be in full control.
I'd suggest to move 70-acl.rules to the consolekit package and remove the
dependency to consolekit. This way, nothing changes for folks who value
convenience over everything else. But those who value security and like
to be in full control over their own system, would no longer be forced to use
consolekit. In any case, it seems more logical to me, that consolekit specifica
should be contained in the consolekit package.
Cheers,
harry
-- System Information:
Debian Release: 6.0
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.37-hb (SMP w/2 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=de_AT.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages udev depends on:
ii debconf [debconf-2.0] 1.5.36 Debian configuration management sy
ii libc6 2.11.2-7 Embedded GNU C Library: Shared lib
ii libselinux1 2.0.96-1 SELinux runtime shared libraries
ii libudev0 164-3 libudev shared library
ii libusb-0.1-4 2:0.1.12-16 userspace USB programming library
ii lsb-base 3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip
ii util-linux 2.17.2-5 Miscellaneous system utilities
Versions of packages udev recommends:
ii pciutils 1:3.1.7-6 Linux PCI Utilities
ii usbutils 0.87-5 Linux USB utilities
udev suggests no packages.
-- Configuration Files:
/etc/udev/udev.conf changed [not included]
-- debconf information excluded
--- End Message ---
--- Begin Message ---
On Jan 24, Harald Braumann <[email protected]> wrote:
> I've had another look at the package and it seems, that udev doesn't
> really require consolekit. The only dependency to consolekit I could
And indeed it does not. Go away.
Depends: libc6 (>= 2.8), libselinux1 (>= 1.32), libusb-0.1-4 (>= 2:0.1.12),
libudev0 (= 164-4), lsb-base (>= 3.0-6), util-linux (>= 2.16)
Recommends: usbutils, pciutils
--
ciao,
Marco
signature.asc
Description: Digital signature
--- End Message ---
