Re: gdm/Gnome/KDE and device permissions
On Wed, 11 Oct 2006 13:08:27 +0200, Gernot Salzer wrote:
> It seems that users have to be added to group "audio"
> in order to be able to access audio devices, group "video" to access
> video devices, "cdrom" to access cdrom, and so on. Or did I miss some
> setting during installation of etch?
> Having to add users to particular groups is not reasonable in a
> desktop setting. There, one would like to have the current user
> at the console (logged in via gdm or similar) to be the one with
> exclusive rights on local devices (fixed ones like audio and video
> as well as variable ones like external usb devices).
I don't think it's possible to arrange for _exclusive_ access. Once a
user has been granted access to a group it is not really possible to
revoke the grant.
> Part of the problem can be solved by using libpam-permdev:
> it handles well fixed builtin devices like audio, video, cdrom,
> but fails with dynamic devices like usb sticks (the pam module
> is only active during login and therefore misses dynamic devices
> plugged in during the session).
> Moreover, since the module is not installed automatically with gdm,
> it doesn't seem to be the intended solution.
There is also pam_group which seems to do the same thing--adds users to
groups depending on their name, login method and time of day.
> For dynamic devices I haven't found a solution yet. Autodetection
> and automounting of e.g. usb sticks works with gnome, if there are
> entries in /etc/fstab. However, such entries are not reasonable
> since one doesn't know in advance which devices are plugged in
> in which order.
Since groups are only set when a user logs in it's not possible to e.g.,
add the user to the plugdev group when they plug in a USB stick. You'd
have to add them to plugdev when they log in.
I think HAL/PolicyTool/pam_foreground will eventually give us a
(slow?) solution to problems like this, but it's some way off at the
moment. Being able to add/revoke permissions with traditional security
methods (i.e. group membership) requires kernel modification AFAIK.
PGP key id 1024D/5EA01078
3412 EA18 1277 354B 991B C869 B219 7FDB 5EA0 1078