Package: udev Version: 164-3 Severity: normal Hi,
udev contains support for consolekit. The rule file 70-acl.rules and /lib/udev/udev-acls change the ACLs of certain device files to give local users access. I consider this a serious security problem. I have a guest account to let others use my system. When they log in, they automatically gain access to these devices. And they can keep this access even after logout, if they so wish, by starting a background job that keeps the device open. Think: camera and microphone. Consolekit is broken by design and there is no way of fixing these security implications. The only real fix is, to not use consolekit, and stick with the traditional scheme of letting root decide who gets permissions for what. Consolekit takes away this control from root. In my opinion, root should always be in full control. I'd suggest to move 70-acl.rules to the consolekit package and remove the dependency to consolekit. This way, nothing changes for folks who value convenience over everything else. But those who value security and like to be in full control over their own system, would no longer be forced to use consolekit. In any case, it seems more logical to me, that consolekit specifica should be contained in the consolekit package. Cheers, harry -- System Information: Debian Release: 6.0 APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.37-hb (SMP w/2 CPU cores) Locale: LANG=POSIX, LC_CTYPE=de_AT.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages udev depends on: ii debconf [debconf-2.0] 1.5.36 Debian configuration management sy ii libc6 2.11.2-7 Embedded GNU C Library: Shared lib ii libselinux1 2.0.96-1 SELinux runtime shared libraries ii libudev0 164-3 libudev shared library ii libusb-0.1-4 2:0.1.12-16 userspace USB programming library ii lsb-base 3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip ii util-linux 2.17.2-5 Miscellaneous system utilities Versions of packages udev recommends: ii pciutils 1:3.1.7-6 Linux PCI Utilities ii usbutils 0.87-5 Linux USB utilities udev suggests no packages. -- Configuration Files: /etc/udev/udev.conf changed [not included] -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
