<quote who="Matt Hope"> > Personally, I setup libpam-devperm instead - this changes the ownerships > of specified devices (for example, the sound devices like /dev/dsp) to the > user who is logging in. > > In my experence, this has been easier than adding extra users to a handful > of groups. > > I'd strongly recommend Ubuntu consider following this path - I can't see > any cases where a user should be able to log in at a graphical terminal, > but not allowed to use sound, or the cdrom.
Until very recently, access granted by those permissions could not be revoked from running processes, resulting in a big ugly security hole. I believe that problem is solved now, so at some stage we could transition to a better model, however there is still the issue of identifying "local" users (which RH do with consolehelper stuff, but there are various arguments for disliking it). - Jeff -- EuroOSCON: October 17th-20th http://conferences.oreillynet.com/eurooscon/ "Science helps a lot, but people built perfectly good brick walls long before they knew why cement works." - Alan Cox -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
