Re: pam_console for debian

To: Brian May <bam@debian.org>, "Debian : devel" <debian-devel@lists.debian.org>
Subject: Re: pam_console for debian
From: Russell Coker <russell@coker.com.au>
Date: Fri, 26 Jul 2002 12:30:11 +0200
Message-id: <[🔎] 20020726103012.1AEF5155E@lyta.coker.com.au>
Reply-to: Russell Coker <russell@coker.com.au>
In-reply-to: <[🔎] 20020726000425.GF23566@snoopy.apana.org.au>
References: <[🔎] 20020724154009.GI18013@localhost> <[🔎] 20020724215827.GB17743@A-Eskwadraat.nl> <[🔎] 20020726000425.GF23566@snoopy.apana.org.au>

On Fri, 26 Jul 2002 02:04, Brian May wrote:
> On Wed, Jul 24, 2002 at 11:58:27PM +0200, Bas Zoetekouw wrote:
> > >  One solution is to use pam_group to add a user to a special, and
> > > ususaly empty, group if he's loggued on the :0 display.
> >
> > That makes no sense. User logs in behind the console, and is put in the
> > group. User makes a g+s zsh-with-camera-access binary and puts it in
> > ~/bin. After that, he'll always have access to the camera.
>
> Come to think of it, this would be easy to solve in SE-Linux simply by
> disallowing Set-GID operations in user created scripts. In fact, this
> should already be the default.

That wouldn't work.  Someone who has logged in can run a proxy process that 
listens on a TCP socket and then performs access to the device as specified 
by a remote user on the net.

The thing to do with SE Linux to solve this properly is have the login 
process change the type of the device node to something the user can access, 
and then change it back to something else when they logout (also it would be 
changed when someone else logs in to the console - in case the logout process 
was interupted somehow).

Changing the type in SE Linux immediately prevents all further access to the 
open file handle unless the domain in question is permitted such access.

However in the default setup of SE Linux you have all non-administrative 
users in the same domain, but I am working on fixing this.  My latest Debian 
package is almost usable with multiple user domains.  It still isn't 
practical to have large numbers of user domains (having 1000 users with each 
user having it's own role and domain would not be practical).  But you can 
divide the users into different groups where each group has it's own role.  
This is probably suitable for most tasks, for a university environment you 
could divide the user base into different project teams or different classes. 
Then rely on students not being too active at trying to hack people who they 
deal with every day...

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

-- 
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: pam_console for debian
  - From: Brian May <bam@debian.org>

References:
- pam_console for debian
  - From: christophe barbé <christophe.barbe.ml@online.fr>
- Re: pam_console for debian
  - From: Bas Zoetekouw <bas@debian.org>
- Re: pam_console for debian
  - From: Brian May <bam@debian.org>

Prev by Date: Re: Some important packages have been orphaned
Next by Date: Re: Bug#152267: Debconf-Help: Bug#152267: med-common: Fails to preconfigure
Previous by thread: Re: pam_console for debian
Next by thread: Re: pam_console for debian
Index(es):
- Date
- Thread