Re: pam_console for debian
On mer, 2002-07-24 at 23:58, Bas Zoetekouw wrote:
> Hi Sebastien!
> You wrote:
> > One solution is to use pam_group to add a user to a special, and
> > ususaly empty, group if he's loggued on the :0 display.
> That makes no sense. User logs in behind the console, and is put in the
> group. User makes a g+s zsh-with-camera-access binary and puts it in
> ~/bin. After that, he'll always have access to the camera.
Did I write anywhere that this solution was secure? Anybody wanting to
edit /etc/security/group.conf knows the suid trick.
> With other words: pam_console is only for clueless admins and Redhat
Or for people who do not need the paranoid mode.
The problem is exactly the same if you put someone in the audio group.
If a microphone is plugged in the audio card, anybody into the audio
group can listen to you.AFAIK you must trust users a bit.
Classical unix perms are not efficient to deal with hostile users
To UNSUBSCRIBE, email to firstname.lastname@example.org
with a subject of "unsubscribe". Trouble? Contact email@example.com