Re: sound executables permissions
Philippe Troin:
> Not at all... /etc/group is consulted during the login (with initgroups() if I remember correctly) to initialize the supplemental group list.
> We should just add some terminal-based supplemental groups when calling this function, and not touch the /etc/group file.
>
> If I've got time, I'll try to hack this in /bin/login and in xdm.
Actually, /bin/login in the shadow-login package (which works with non-shadow
passwords as well) can do this - add specified supplemental groups when logging
in from a console device (== listed in /etc/securetty).
Unfortunately, there is the problem with users being able to create a setgid
shell. Needs some kernel hacking (so that, for example, users are allowed to
set the setgid bit for their primary group only).
Another solution (chown the devices to the user logging in like Suns do, using
/etc/fbtab or /etc/logindevperm) has some problems too:
- multiple virtual consoles with possibly different users (maybe a separate
setuid program to chown the devices should be used, so that the user can
run it in one of the consoles if necessary).
- needs some support from init to chown the devices back to root after the
user logs out.
- not really secure either - the user can start a process that keeps the
device open even after logging out. Linux doesn't have the equivalent
of the *BSD revoke() or SCO UNIX stopio() system calls yet (vhangup()
works for controlling tty devices only).
Marek
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com
Reply to: