Hi, On Mon, 2005-02-07 at 00:12 +0100, Tom Parker wrote: > 2) Replace the current 'check for a /var/run/console/$username' with an > actual implementation of the pam_console logic i.e. check the user's > logged in terminal and see if they're a console user. This gets around > the Debian issues as we're not messing around with device node > permissions at all.
I'd rather not maintain this (it seems likely to get into a lot of distribution-specific issues and be security-sensitive, and I can't test it). The right thing in my mind is for distributions to maintain this; whether in the form of pam_console, or just specifically for use by dbus. I'm happy to put in any logic needed in dbus to chain to the distribution's choice of ways to do this, as long as I don't have to maintain the actual "at console" mechanism. i.e. I'd take any distribution patch upstream into dbus (with suitable configure checks and #ifdef) as long as the patch is to chain out to an OS mechanism, rather than to implement the hard bits directly in dbus. > 3) Replace with something else. Not sure what/how, this depends on how > useful 'user has a console' is as a authentication measure, and whether > we actually need something (possibly subtly) different. Ideas welcomed... That's the other thing OS vendors can do of course; use some other kind of policy besides "at console" - such as "in a particular group" or whatever is desired. To me this isn't a portability issue, it's an OS feature issue. dbus works with whatever the OS provides, but if the OS provides more function then dbus passes it through to be taken advantage of. Seems like pam_console would have quite a few other benefits for Debian besides dbus, no? Surely Ubuntu has something in this area already? Havoc _______________________________________________ NetworkManager-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/networkmanager-list
