[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: gids assigned non-deterministically

On Tue, Oct 10, 2006 at 03:36:20PM +0200, Tim Dijkstra wrote:

> That's not an argument someone can just 'chown :plugdev' something.

Crap. I knew I'd overlook something. I think you could still prevent
that with SELinux though :-)

On the other hand I was thinking about if in your case basically all
user needs to be a member of all these groups anyway, then there is no
point in having these groups at all. Just make pmount executable by
anyone, and edit /etc/dbus-1/system.d/{avahi-dbus.conf,hal.conf} and
replace '<policy group="powerdev">' etc. with '<policy
context="default">' or with '<policy at_console="true">'.

Similarly, if all users have read(/write) access to a device because all
users are part of the group owning the device node, then you can just
make that device node a+r(/a+w) and forget about the group.

Of course there may be services running under other uids that you do not
want to give all access humans has; it has to be decided.

Gabor

-- 
     ---------------------------------------------------------
     MTA SZTAKI Computer and Automation Research Institute
                Hungarian Academy of Sciences
     ---------------------------------------------------------
Reply to: