[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

ITP or RFP pam-redhat or request to merge pam-redhat in pam


I'd like to have pam-redhat [1], especially pam_console, in debian.
It control permissions some devices when some user log in the system,
so that the login user can access framebuffer or other device without
any changes. For example, w3m-img need to read/write access /dev/fb0, 
but it's default permission is root.video 0620.  To browse images with
w3m-img, there are two ways for now. One is setuid, and the other is
change permission of /dev/fb0.

To setuid to w3mimgdisplay, I'm afraid that some possible security problems
that w3mimgdisplay will read image file downloaded from the Net, so it may
be some mischief files to attack the code w3mimgdisplay uses. I want to
avoid to use setuid root as much as possible.

To change permission of /dev/fb0 makes it possible to display image
by the remote user while the other user log-in on console.  It may
introduce another security problem that console user would see images 
from pages remote user is viewing, for example.

So I think the right solution is pam_console to fix permission when
user log-in. 

I can package pam-redhat as deb package, but it may be better to be 
included in pam or managed with pam packages.  What is the good way 
to put pam-redhat in debian?

Fumitoshi UKAI

[1] you can checkout by
  cvs -z9 -d :pserver:anonymous@rhlinux.redhat.com:/usr/local/CVS co pam-redhat

Reply to: