Re: Referring bug #166718 and the initial groups issue to the TC

To: hartmans@debian.org (Sam Hartman)
Cc: debian-ctte@lists.debian.org
Subject: Re: Referring bug #166718 and the initial groups issue to the TC
From: Bdale Garbee <bdale@gag.com>
Date: Thu, 01 Apr 2004 08:40:59 -0700
Message-id: <[🔎] 874qs3ln90.fsf@rover.gag.com>
In-reply-to: <20040331191500.ED78015159C@konishi-polis.mit.edu> (Sam Hartman's message of "31 Mar 04 19:15:00 GMT")
References: <20040331191500.ED78015159C@konishi-polis.mit.edu>

hartmans@debian.org (Sam Hartman) writes:

> The problem is fairly simple.  Some of our users actually want to use
> their systems once they get it installed.

 ;-)

> Perhaps when Debian and the FHS originally made this decision, users
> could be expected to simply add themselves to groups if they noticed
> they needed the permissions associated with these groups.  However as
> Debian has gained appeal to a wider audience and as peoples'
> expectations of usability increase,  users want more reasonable
> default behavior.

If we're talking about single-user machines with a graphics card for a console,
then I certainly agree.  We need to be careful to avoid a change that makes
things worse (less secure, etc) for headless systems like servers, though.

> The Redhat pam_console module does seem to do roughly what we want .

The idea of conditionalizing access rights on the basis of whether a user
currently controls "the console" feels to me like exactly the right way to 
approach this issue.  I haven't studied pam_console, and so don't have a strong
opinion on whether it's the right hunk of code or not.

Bdale

Reply to:

Prev by Date: Re: policies for access to local resources
Next by Date: Re: policies for access to local resources
Previous by thread: Re: Referring bug #166718 and the initial groups issue to the TC
Next by thread: policies for access to local resources
Index(es):
- Date
- Thread