Re: gdm/Gnome/KDE and device permissions

To: debian-devel@lists.debian.org
Subject: Re: gdm/Gnome/KDE and device permissions
From: "Sam Morris" <sam@robots.org.uk>
Date: Wed, 11 Oct 2006 11:31:06 +0000 (UTC)
Message-id: <[🔎] egiklp$sgs$1@sea.gmane.org>
References: <[🔎] E1GXbwp-00087S-S8@polaris.logic.tuwien.ac.at>

On Wed, 11 Oct 2006 13:08:27 +0200, Gernot Salzer wrote:

> It seems that users have to be added to group "audio"
> in order to be able to access audio devices, group "video" to access
> video devices, "cdrom" to access cdrom, and so on. Or did I miss some
> setting during installation of etch?
> 
> Having to add users to particular groups is not reasonable in a
> desktop setting. There, one would like to have the current user
> at the console (logged in via gdm or similar) to be the one with
> exclusive rights on local devices (fixed ones like audio and video
> as well as variable ones like external usb devices).

I don't think it's possible to arrange for _exclusive_ access. Once a
user has been granted access to a group it is not really possible to
revoke the grant.

> Part of the problem can be solved by using libpam-permdev:
> it handles well fixed builtin devices like audio, video, cdrom,
> but fails with dynamic devices like usb sticks (the pam module
> is only active during login and therefore misses dynamic devices
> plugged in during the session).
> Moreover, since the module is not installed automatically with gdm,
> it doesn't seem to be the intended solution.

There is also pam_group which seems to do the same thing--adds users to
groups depending on their name, login method and time of day.

> For dynamic devices I haven't found a solution yet. Autodetection
> and automounting of e.g. usb sticks works with gnome, if there are
> entries in /etc/fstab. However, such entries are not reasonable
> since one doesn't know in advance which devices are plugged in
> in which order.

Since groups are only set when a user logs in it's not possible to e.g.,
add the user to the plugdev group when they plug in a USB stick. You'd
have to add them to plugdev when they log in.

I think HAL/PolicyTool/pam_foreground will eventually give us a
(slow?) solution to problems like this, but it's some way off at the
moment. Being able to add/revoke permissions with traditional security
methods (i.e. group membership) requires kernel modification AFAIK.

-- 
Sam Morris
http://robots.org.uk/

PGP key id 1024D/5EA01078
3412 EA18 1277 354B 991B  C869 B219 7FDB 5EA0 1078

Reply to:

Follow-Ups:
- Re: gdm/Gnome/KDE and device permissions
  - From: Gernot Salzer <salzer@logic.at>
- Re: gdm/Gnome/KDE and device permissions
  - From: Roland Mas <lolando@debian.org>

References:
- gdm/Gnome/KDE and device permissions
  - From: Gernot Salzer <salzer@logic.at>

Prev by Date: at chosen
Next by Date: Re: apt-findremovable v0.1 (initial release)
Previous by thread: gdm/Gnome/KDE and device permissions
Next by thread: Re: gdm/Gnome/KDE and device permissions
Index(es):
- Date
- Thread