Re: gdm/Gnome/KDE and device permissions

To: debian-devel@lists.debian.org
Subject: Re: gdm/Gnome/KDE and device permissions
From: Petter Reinholdtsen <pere@hungry.com>
Date: Tue, 17 Oct 2006 13:50:10 +0200
Message-id: <[🔎] 2fl64ejp3f1.fsf@saruman.uio.no>
References: <[🔎] E1GXbwp-00087S-S8@polaris.logic.tuwien.ac.at>

[Gernot Salzer]
> what is the standard/canonical way of handling device permissions
> in Debian ("etch" in my case) on desktop PCs running a GUI?

As you probably found out from the replies so far, there is no
standard way. :(

Here are some notes I wrote for Debian Edu.  You might find it useful.

Local device access
-------------------

  The local user should have access to some of the local devices
  (sound, cdrom, etc) after logging in on the console or via
  kdm/gdm/xdm/etc, but not when logging in from remote via ssh.  There
  are as far as I know two ways to make this happen.  One way is to
  add the local user to the groups needed to access these devices, the
  other is to change the permissions on these devices to give access
  to the local user.  The former is done using pam_group, while the
  latter is done using pam_devperm.  Both have advantages and
  weaknesses.

  pam_group
  ---------

  By updating /etc/pam.d/common-auth and /etc/security/group.conf it is
  possible to add the logged in user to the grous needed (audio,
  floppy, cdrom, plugdev, video).  In addition to getting access to
  the devices present during login, it also make sure hotplugged
  devices like USB sticks work (group membership in plugdev take care
  of this).

  The problem with this method is that every member of the groups in
  question can create a setgid program to gain access to the devices
  also when not logged into the machine.  This will make it possible
  to record from the microphone, read and from the floppy, cdrom and
  usb stick, as well as play unwanted sound on other users computers.
  It is also possible to start long-running processes in the
  background to keep the access privileges to the devices in question.

--- /etc/pam.d/common-auth.orig 2006-10-17 11:25:40.000000000 +0000
+++ /etc/pam.d/common-auth      2006-10-17 11:25:29.000000000 +0000
@@ -7,4 +7,5 @@
 # (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
 # traditional Unix authentication mechanisms.
 #
+auth   optional        pam_group.so
 auth   required        pam_unix.so nullok_secure
--- /etc/security/group.conf.orig       2006-10-17 11:27:32.000000000 +0000
+++ /etc/security/group.conf    2006-10-17 11:31:43.000000000 +0000
@@ -55,6 +55,8 @@
 #xsh; tty* ;*;Al0900-1800;floppy


+*; tty*&!ttyp*; *; Al0000-2400; audio,cdrom,floppy,plugdev,video
+*; :0; *; Al0000-2400; audio,cdrom,floppy,plugdev,video

 #
 # End of group.conf file

  pam_devperm
  -----------

  By installing libpam-devperm and updating /etc/pam.d/common-sessionn
  (and /etc/logindevperm to fix bug #393661 and get access to
  /dev/dsp), it is possible to modify the permissions of relevant
  devices when a user log in, and reset the permissions when the user
  log out.  The user of the device is changed to the logged in user,
  and the mode is normally set to 0600 granting exclusive access.

  The problem with this method is that hotplug devices do not work, as
  they are not available when the user is logged in, and the device
  ownership is only modified when the user log in.  Another problem is
  that the user can keep the access privileges for the devices after
  he log out by starting long-running processes in the background.

--- /etc/pam.d/common-session.orig      2006-10-17 11:23:21.000000000 +0000
+++ /etc/pam.d/common-session   2006-10-17 10:42:08.000000000 +0000
@@ -7,3 +7,4 @@
 # non-interactive).  The default is pam_unix.
 #
 session        required        pam_unix.so
+session        required        pam_devperm.so
--- /etc/logindevperm.orig   2006-10-17 10:51:58.000000000 +0000
+++ /etc/logindevperm   2006-10-17 10:53:08.000000000 +0000
@@ -24,7 +24,7 @@
 :0 0600 /dev/cdrecorder:/dev/cdrecorder1:/dev/cdrecorder2:/dev/cdrecorder3
 :0 0600 /dev/dvd:/dev/dvd1:/dev/dvd2:/dev/dvd3
 :0 0600 /dev/zip:/dev/zip1:/dev/zip2:/dev/zip3
-:0 0600 /dev/dsp0:/dev/dsp1:/dev/dsp2:/dev/dsp3
+:0 0600 /dev/dsp:/dev/dsp0:/dev/dsp1:/dev/dsp2:/dev/dsp3
 :0 0600 /dev/fd0:/dev/fd0u1440:/dev/fd0h1440:/dev/fd0u720:/dev/fd0h720
 :0 0600 /dev/fd1:/dev/fd1u1440:/dev/fd1h1440:/dev/fd1u720:/dev/fd1h720
 :0 0600 /dev/sequencer:/dev/sequencer2:/dev/music

  Conclusion
  ----------

  I recommend using the pam_group mechanism to get a working hotplug
  support, and recommend solving the setgid-issue by adding the nosuid
  mount flag to the partitions where users can add files (/home/,
  /tmp/, /dev/shm/, /var/lock/), and solving the problem with
  long-running processes by running some kind of idle-job killer to
  kill long-running processes.

Reply to:

Follow-Ups:
- Re: gdm/Gnome/KDE and device permissions
  - From: Hendrik Sattler <debian@hendrik-sattler.de>

References:
- gdm/Gnome/KDE and device permissions
  - From: Gernot Salzer <salzer@logic.at>

Prev by Date: [Help] Please compile clustalw on architectures ia64, mips, mipsel, s390 and m68k
Next by Date: Re: [Help] Please compile clustalw on architectures ia64, mips, mipsel, s390 and m68k
Previous by thread: Re: gdm/Gnome/KDE and device permissions
Next by thread: Re: gdm/Gnome/KDE and device permissions
Index(es):
- Date
- Thread