Making more groups and removing 32 groups limit.
There is about a hundred of devices in /dev
(ls /dev/* | wc -l returns me 1016) and debian provides only 40 groups.
It shows that an admin doesn't have a fine control of distributing tasks to
some other users w/o giving too much power.
For example, to give access to a SCSI HD to a particular user, an admin
addgroup <user> disk
and the user is able to mofify 444 devices (ls -l /dev/* | grep disk | wc -l)
which is too much. So, to do a secure thing, the sysadmin must play with
chown & chgrp on a lot of device which isn't clear.
Another example :
I've a scsi scanner which is compatible with sane and everyone knows that a
scanner uses /dev/sg*
Here are my /dev/sg* :
crw------- 1 root root 21, 0 Jul 21 1998 /dev/sg0
crw------- 1 root root 21, 1 Jul 21 1998 /dev/sg1
crw------- 1 root root 21, 2 Jul 21 1998 /dev/sg2
crw------- 1 root root 21, 3 Jul 21 1998 /dev/sg3
crw------- 1 root root 21, 4 Jul 21 1998 /dev/sg4
crw------- 1 root root 21, 5 Jul 21 1998 /dev/sg5
crw------- 1 root root 21, 6 Jul 21 1998 /dev/sg6
crw------- 1 root root 21, 7 Jul 21 1998 /dev/sg7
So, only root is able to use these device and if I want to scan as a simple
user, I must do as root (my scanner is /dev/sg1)
chown root.sg /dev/sg*
chmod 660 /dev/sg*
addgroup <user> sg
and it should work.
But I think that this method isn't clean because we change the Debian
defaults and Debian should be adapted to the software it distributes.
OK, you can say that it's the admin task but it would be more clean to do
this and the admin can't do everything. For example, if the dpkg
database.... would be like an email spool, owned by a group called pkg for
example, root could give the package management to a specific user.
For now, even if the admin does
chown -R root.pkg /var/lib/dpkg
chmod -R g+....
dpkg will say that it needs root.
What I say is maybe stupid but it would be really simpler et efficient to
divide the system into a multitude of groups.
I know that a user can't be part of more than 32 groups too, so it's
impossible to make many groups.
As a result, the only thing to do, I think, is to remove the 32 groups per
user limit and make the more groups we can, associating the rights to these
| . ICQ : 25529539
| | |\ | | | \ / AIM : linhax
|___ | | \| |__| / \ IRC nick : linhax
Sami Dalouche : firstname.lastname@example.org DHIS : pingoo.dhis.org