Re: pam_console for debian
On Fri, 26 Jul 2002 02:04, Brian May wrote:
> On Wed, Jul 24, 2002 at 11:58:27PM +0200, Bas Zoetekouw wrote:
> > > One solution is to use pam_group to add a user to a special, and
> > > ususaly empty, group if he's loggued on the :0 display.
> > That makes no sense. User logs in behind the console, and is put in the
> > group. User makes a g+s zsh-with-camera-access binary and puts it in
> > ~/bin. After that, he'll always have access to the camera.
> Come to think of it, this would be easy to solve in SE-Linux simply by
> disallowing Set-GID operations in user created scripts. In fact, this
> should already be the default.
That wouldn't work. Someone who has logged in can run a proxy process that
listens on a TCP socket and then performs access to the device as specified
by a remote user on the net.
The thing to do with SE Linux to solve this properly is have the login
process change the type of the device node to something the user can access,
and then change it back to something else when they logout (also it would be
changed when someone else logs in to the console - in case the logout process
was interupted somehow).
Changing the type in SE Linux immediately prevents all further access to the
open file handle unless the domain in question is permitted such access.
However in the default setup of SE Linux you have all non-administrative
users in the same domain, but I am working on fixing this. My latest Debian
package is almost usable with multiple user domains. It still isn't
practical to have large numbers of user domains (having 1000 users with each
user having it's own role and domain would not be practical). But you can
divide the users into different groups where each group has it's own role.
This is probably suitable for most tasks, for a university environment you
could divide the user base into different project teams or different classes.
Then rely on students not being too active at trying to hack people who they
deal with every day...
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
To UNSUBSCRIBE, email to email@example.com
with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org