Re: pam_console for debian

To: "Debian : devel" <debian-devel@lists.debian.org>
Cc: Sebastien Chaumat <schaumat@debian.org>, christophe barbé <christophe.barbe.ml@online.fr>
Subject: Re: pam_console for debian
From: Brian May <bam@debian.org>
Date: Fri, 26 Jul 2002 10:04:25 +1000
Message-id: <[🔎] 20020726000425.GF23566@snoopy.apana.org.au>
Mail-followup-to: Brian May <bam@debian.org>, "Debian : devel" <debian-devel@lists.debian.org>, Sebastien Chaumat <schaumat@debian.org>, christophe barbé <christophe.barbe.ml@online.fr>
In-reply-to: <[🔎] 20020724215827.GB17743@A-Eskwadraat.nl>
References: <[🔎] 20020724154009.GI18013@localhost> <[🔎] 20020724181421.GA16858@A-Eskwadraat.nl> <[🔎] 20020724203200.GP18013@localhost> <[🔎] 1027543595.20993.13.camel@muetdhiver> <[🔎] 20020724215827.GB17743@A-Eskwadraat.nl>

On Wed, Jul 24, 2002 at 11:58:27PM +0200, Bas Zoetekouw wrote:
> >  One solution is to use pam_group to add a user to a special, and
> > ususaly empty, group if he's loggued on the :0 display.
> 
> That makes no sense. User logs in behind the console, and is put in the
> group. User makes a g+s zsh-with-camera-access binary and puts it in
> ~/bin. After that, he'll always have access to the camera.

Come to think of it, this would be easy to solve in SE-Linux simply by
disallowing Set-GID operations in user created scripts. In fact, this
should already be the default.

Another solution would be to hack the kernel to disallow chmod g+s
or chmod u+s if the user is not root.

Are there any security problems with this I haven't considered?
-- 
Brian May <bam@debian.org>


-- 
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: pam_console for debian
  - From: Russell Coker <russell@coker.com.au>

References:
- pam_console for debian
  - From: christophe barbé <christophe.barbe.ml@online.fr>
- Re: pam_console for debian
  - From: Bas Zoetekouw <bas@debian.org>
- Re: pam_console for debian
  - From: christophe barbé <christophe.barbe.ml@online.fr>
- Re: pam_console for debian
  - From: Sebastien Chaumat <schaumat@debian.org>
- Re: pam_console for debian
  - From: Bas Zoetekouw <bas@debian.org>

Prev by Date: Bug#154311: ITP: imagefs -- A tool to create and write FAT12 images.
Next by Date: Re: Menu code update (7/25)
Previous by thread: Re: pam_console for debian
Next by thread: Re: pam_console for debian
Index(es):
- Date
- Thread