[Gernot Salzer]
what is the standard/canonical way of handling device permissions
in Debian (etch in my case) on desktop PCs running a GUI?
As you probably found out from the replies so far, there is no
standard way. :(
Here are some notes I wrote for Debian Edu. You might find it useful.
Am Dienstag 17 Oktober 2006 13:50 schrieb Petter Reinholdtsen:
By updating /etc/pam.d/common-auth and /etc/security/group.conf it is
possible to add the logged in user to the grous needed (audio,
floppy, cdrom, plugdev, video). In addition to getting access to
the devices present
[Hendrik Sattler]
Does that work when not using pmount but only hal to mount devices? Can the
other side of d-bus messages be aware of such group memberships?:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=377689
Thank you for the reference. It seem to me that this problem still
exist in
Qua, 2006-10-11 às 23:17 +0200, Tim Dijkstra escreveu:
One problem is that a user can launch a daemon that keeps the device file
open before she logs out
Also I was referring to how pam_group works, but I find this way of
handling permissions even more broken than pam_group. For example,
On Wed, 11 Oct 2006, Roland Mas wrote:
Sam Morris, 2006-10-11 13:40:08 +0200 :
I think HAL/PolicyTool/pam_foreground will eventually give us a
(slow?) solution to problems like this, but it's some way off at the
moment. Being able to add/revoke permissions with traditional
security
Dear DDs D-friends,
what is the standard/canonical way of handling device permissions
in Debian (etch in my case) on desktop PCs running a GUI?
It seems that users have to be added to group audio
in order to be able to access audio devices, group video to access
video devices, cdrom to access
On Wed, 11 Oct 2006 13:08:27 +0200, Gernot Salzer wrote:
It seems that users have to be added to group audio
in order to be able to access audio devices, group video to access
video devices, cdrom to access cdrom, and so on. Or did I miss some
setting during installation of etch?
Having to
Having to add users to particular groups is not reasonable in a
desktop setting. There, one would like to have the current user
at the console (logged in via gdm or similar) to be the one with
exclusive rights on local devices (fixed ones like audio and video
as well as variable ones
On Wed, 11 Oct 2006 14:12:20 +0200
Gernot Salzer [EMAIL PROTECTED] wrote:
Don't mechanisms like libpam_devperm grant exclusive access?
On login the ownership of the devices is set to the console user,
and only the owner is granted rwx-rights. On logout
ownership/permissions of the device
First, there is no safe way to revoke privileges from a user. If a user
gets access to a certain group he/she can arrange ways to keep it,
even after being logged out (make a suid binary for example).
I admit that I don't know much about the internals of Unix/Linux.
So, if upon login of user
Sam Morris, 2006-10-11 13:40:08 +0200 :
I think HAL/PolicyTool/pam_foreground will eventually give us a
(slow?) solution to problems like this, but it's some way off at the
moment. Being able to add/revoke permissions with traditional
security methods (i.e. group membership) requires kernel
On Wednesday 11 October 2006 14:12 pm, Gernot Salzer wrote:
Don't mechanisms like libpam_devperm grant exclusive access?
On login the ownership of the devices is set to the console user,
and only the owner is granted rwx-rights. On logout
ownership/permissions of the device revert to the old
On Wed, 11 Oct 2006 16:31:37 +0200
Gernot Salzer [EMAIL PROTECTED] wrote:
First, there is no safe way to revoke privileges from a user. If a user
gets access to a certain group he/she can arrange ways to keep it,
even after being logged out (make a suid binary for example).
I admit
13 matches
Mail list logo