On Tue, 10 Oct 2006 18:10:42 +0200
Gabor Gombas <gombasg@sztaki.hu> wrote:
> On Tue, Oct 10, 2006 at 03:36:20PM +0200, Tim Dijkstra wrote:
>
> > That's not an argument someone can just 'chown :plugdev' something.
>
> Crap. I knew I'd overlook something. I think you could still prevent
> that with SELinux though :-)
Have to read up on SELinux some day, but not now;)
> On the other hand I was thinking about if in your case basically all
> user needs to be a member of all these groups anyway, then there is no
> point in having these groups at all. Just make pmount executable by
> anyone, and edit /etc/dbus-1/system.d/{avahi-dbus.conf,hal.conf} and
> replace '<policy group="powerdev">' etc. with '<policy
> context="default">' or with '<policy at_console="true">'.
> Similarly, if all users have read(/write) access to a device because all
> users are part of the group owning the device node, then you can just
> make that device node a+r(/a+w) and forget about the group.
>
> Of course there may be services running under other uids that you do not
> want to give all access humans has; it has to be decided.
Yes, that doesn't seem like the right solution.
In any case, I'm kind of happy with my current setup. I was just trying
to point out that pam_group has it draw backs.
grts Tim
Attachment:
signature.asc
Description: PGP signature