Lindsay Haisley <[EMAIL PROTECTED]> posted [EMAIL PROTECTED], excerpted below, on Sun, 21 Oct 2007 23:41:14 -0500:
> It should be pointed out that Gentoo already has something very close to > what I'm suggesting here. /etc/login.defs has a setting, > CONSOLE_GROUPS, which defines the "groups to add to the user's > supplementary group set when logging in on the console". The default, > reasonably, is to add no groups, but uncommenting the setting in this > file adds groups floppy, audio and cdrom. > > Rather than describing this as a "very Bad Thing" the comments in the > file simply instruct the sysadmin to "Use with caution". ... And I agree with it at that level... because it's not the default. A warning to the sysadmin to "use with caution" is then enough. If they decide to use it (which I agree can be reasonable on a single-human-user desktop system, IIRC I have my regular user in plugdev here) and end up screwed as a result, well, it's very likely their own fault. (The "very likely" qualifier added to match the case where a distribution and/or upstream were unreasonably slow on updating after a remotely exploitable security vuln in related software is made known to them, but they did nothing, including failing to publish the vuln, thus letting the admin know and putting responsibility on him once again, for continuing to use software with known remote exploits either ignoring or not following the given warnings.) > Unfortunately, this setting won't work with Hal and plugdev, which > relies entirely on reading /etc/group. So hal wants the user to be permanently registered for plugdev, as opposed to simply added based on console login. FWIW, console based perms (as with pam and /etc/security/console.perms, when it used to default to active) never worked right here, anyway, due to the way I use the system. Most of the time when I'm logged in to X, it's not considered a console login, because I login at the text terminal, then run a script that starts X and KDE, waits a few seconds, and logs me out at the console. This always resulted in all sorts of stuff including sound seldom working right, since it would be active while I was logged in at the text console, but I was logged out of it most of the time when I was in X/KDE. I ended up setting permissions and groups such that my user had general access to sound and whatever other devices, regardless of console login status, because the system seemed to think I was logged out most of the time. -- Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the program, he is your master." Richard Stallman -- [EMAIL PROTECTED] mailing list
