Hello, On Mon, 2010-08-30 at 13:11 +0300, Martin Paljak wrote: > Hello, > > On Aug 30, 2010, at 12:19 PM, Ludovic Rousseau wrote: > > As listed on the pcsc-lite TODO file [1] I would like to run pcscd as > > a normal user instead of root. To do this I need to: > Good idea.
Yep, very good idea. > For example Debian SID extra groups of the auto-created user are: > 20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),105(scanner),111(netdev),112(bluetooth),117(powerdev). > I don't know exactly what the extra groups are for nor do I care a lot. > Apparently they are needed to provide a usable desktop experience to me. > Quite many OpenCT related questions on the mailing list have been "runs as > root, does not run as user" and the reason being missing scard group. > > If the administrator wants to restrict access to smart cards or readers and > is serious about it, I'm sure he'll deploy something like SELinux as > well/instead. Thats not right. The groups are for restricting access to some special devices and some other things. I use Gentoo Linux and if I want to play games I need to be a member of the "games" group. That is sometimes annoying but helps to restrict stuff. It is the same with devices. I for example are playing with LEGO Mindstorms NXT and I created a "lego" group. When connecting the NXT brick the device node becomes the group owner "lego"; Done by udev. Now only users in the group "lego" are able to use that device. This restriction even makes sense for smart card readers. In Debian, for example, only users in the "dialout" group are able to dial with a connected modem. Therefore this not must be done as root user but you need to add users to that special group for that special functionality. Using SELinux for that is not the "normal" or "easy" way to restrict access to special devices. I use Linux since 12 years and I don't want to configure SELinux on my systems. It is not very easy to understand for normal Linux system users. Adding a user to a special group is much more easy and enough restriction on most Linux based systems. Kind regards, Johannes _______________________________________________ Muscle mailing list [email protected] http://lists.drizzle.com/mailman/listinfo/muscle
