[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: pam_console for debian

Hi,

On mer, 2002-07-24 at 23:58, Bas Zoetekouw wrote:
> Hi Sebastien!
> 
> You wrote:
> 
> >  One solution is to use pam_group to add a user to a special, and
> > ususaly empty, group if he's loggued on the :0 display.
> 
> That makes no sense. User logs in behind the console, and is put in the
> group. User makes a g+s zsh-with-camera-access binary and puts it in
> ~/bin. After that, he'll always have access to the camera.
> 

Did I write anywhere that this solution was secure? Anybody wanting to
edit /etc/security/group.conf knows the suid trick.



> With other words: pam_console is only for clueless admins and Redhat
> users.
> 

Or for people who do not need the paranoid mode. 

The problem is exactly the same if you put someone in the audio group.
If  a microphone is plugged in the audio card, anybody into the audio
group can listen to you.AFAIK you must trust users a bit.

 Classical unix perms are not efficient to deal with hostile users
anyway.

SEb





-- 
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: