On 1/28/09, Andreas Jellinghaus <a...@dungeon.inka.de> wrote: > someone has a group "usb"? ouch. I don't like this proposal.
Gentoo has. > people might think "lets add a user to that group, like we do with audio > and video, so people can use usb devices". if then this would be implemented > like alon suggested, a user can access a device, that is required for login > authentication (if you configured smart card authentication). bad idea, at > minimum this could be a denial of service attack. not sure if claiming an > interface via usb control prevents every other process to see what you send > to and receive from that device, but I hope it does. Yes. It is exactly like video and audio. If users need direct access to USB they can be permitted to do so. > My recommendation stands: either run that software as root, or use a special > user for these access rights. (is there a special reason not to have some > user > as the owner of the dynamically created device nodes? if so, a special group > with one user only could help, but it should not have a generic name. and I > don't know of any such reason) Running software as root is the worst solution. Especially security centric software. > btw: many distributions have a group "scard" that regulates access to smart > card reader middleware (pcscd and openct). (well, ok, debian and ubuntu have > that group, not 100% sure about other distributions). I don't care how you call this group as long as you run daemons in least-privilege mode. Alon. _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
