[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: gids assigned non-deterministically

On Tue, 10 Oct 2006 11:20:26 +0200
Gabor Gombas <gombasg@sztaki.hu> wrote:

> On Tue, Oct 10, 2006 at 09:36:56AM +0200, Tim Dijkstra wrote:
> 
> > That is no longer a reality with groups like plugdev, powerdev and
> > netdev, which users need to be a member of to be able to get the wonders
> > of automatically mounted usb-sticks, tweakable power management and
> > whatever comes with the utopia stack.
> 
> Then use pam_group to temporarily assign those groups to users. That way
> the gids can be different on every system, and you can even gain
> performance by having less groups in LDAP.

Hmm, pam_group doesn't sound to secure to me... what if on one machine
gid 110 is www-data and on another plugdev. Then if a user logs in on the second
machine it will get access to gid 110, make some suid executable, which on 
another machine ... Well the nfs mount is nosuid, but still, I find this a bit
scary.

> Especially if you have more than a handful of users (and if you are
> considering LDAP, I assume you have), groups with hudreds or thousands of
> members can cause headaches.

But this is of course true...

grts Tim
Reply to: