Re: documentation on permissions for cdrom device -- where?
"Marcelo E. Magallon" <firstname.lastname@example.org> writes:
> The *proper* solution is to add audio to the CONSOLE_GROUPS in
> /etc/login.defs; the problem with this is that the xdm gang doesn't
> obey this (patch someone?). In this way, only the user at the console
> has access to the audio devices (and the floppy, cdrom, scanner,
This solution isn't very good either, since the user can create a
setgid program when she's at the console and run it later. Or she can
leave a shell running in screen(1). Or just leave a process holding
the device open.
The vcs* devices suffer from similar problems -- see bug #22191.
There was a story about "role-based security" in DDJ some years ago.
It explained how some (BSD?) kernel separated users in four security
levels according to where they were logging in from. Each file had
two extra protection bits for the minimum level required to use it.
Something like that might be the real solution here.