Darren J Moffat wrote:
> Riny Qian wrote:
> 
>>All,
>>
>>Please take a look at the updated virtual console spec:
>>
>>http://www.opensolaris.org/os/project/vconsole/vconsole-spec.txt
>>http://www.opensolaris.org/os/project/vconsole/vt.7i.txt
>>
>>Any comments are welcome.
> 
> 
> DJM-1 2.6 /dev/console & root login
> 
> I'm not sure you can allow root login on /dev/console
> and on /dev/vt#.  The /etc/default/login variable CONSOLE
> only specifies a single device and I'm not sure I'm comfortable
> with /dev/console meaning /dev/console and all of /dev/vt.
> 
> However I do see possible value in allowing local root
> logins on multiple vts, so I'll need to think more about
> this.

Since we trust it on /dev/console, we should trust it on /dev/vt#.
Otherwise it would be inconvenient in practice.

> 
> DJM-2 2.7.2 ACLs for usb etc devices
> 
> Are you saying that if user "bob" logins in on vt1 and
> user "alice" logins on vt2 then there will be an ACL of
> both of them on the audio and usb devices ?

Right. Actually at the begining, we wanted to group
all these devices (add a console group in the system,
and dynamically add/remove the logged in user into
the console group upon logging in/out. But ACL seems
better than group, so we chose ACL. [it was recommeded
by Casper Dik.]

> 
> I don't think this is a good idea.  I'm also concerned
> about how this interacts with device allocation and
> Trusted Extensions.

We don't see any impact on the device allocation
and Trusted Extensions.

> 
> Please ask the security community to review this whole
> proposal for possible interactions with Trusted Extensions.
> 

Right. We talked it with people who're working Trusted Extensions
before, and they don't have any issue. But since we changed
the spec, we should communicate with them again.

> DJM-3 2.8 SMF Service
> 
> As per my previous emails I believe that the /dev/vt#
> devices should just be instances of console-login and you
> should not need a separate vconsole-login even due to
> Zones.

If no other impact, we'll change to it.

> 
> DJM-4 2.9 tipline
> 
> How does this interact with consadm(1M) ?

I don't see any impact here.

> 
> DJM-5 2.10 kmdb
> 
> I expected that kmdb and panic would not be displayed
> on the current vt but only on the console and that you
> would still be able to switch to the console to interact
> with kmdb.   However I think this mode might be acceptable
> and even desirable in some cases.

We discussed it with kmdb guys before, and they don't want
to see kmdb is aware of virtual console and the switch.

> 
> DJM-6 2.12 Xorg
> 
> What about Xsun since that is still used on SPARC.

There's no change to Xsun.

> 
> DJM-7 General
> 
> Is the ioctl interface compatible with that on any other
> platform or is it unique to OpenSolaris systems ?

compatible.




Reply via email to