[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: gdm/Gnome/KDE and device permissions

> > Having to add users to particular groups is not reasonable in a
> > desktop setting. There, one would like to have the current user
> > at the console (logged in via gdm or similar) to be the one with
> > exclusive rights on local devices (fixed ones like audio and video
> > as well as variable ones like external usb devices).
> I don't think it's possible to arrange for _exclusive_ access. Once a
> user has been granted access to a group it is not really possible to
> revoke the grant.

Don't mechanisms like libpam_devperm grant exclusive access?
On login the ownership of the devices is set to the console user,
and only the owner is granted rwx-rights. On logout
ownership/permissions of the device revert to the old setting.

> There is also pam_group which seems to do the same thing--adds users to
> groups depending on their name, login method and time of day.

Thanks for the hint, I will check it.

> Since groups are only set when a user logs in it's not possible to e.g.,
> add the user to the plugdev group when they plug in a USB stick. You'd
> have to add them to plugdev when they log in.

Couldn't a script triggered by udev set ownership/permissions to
the current console user, like libpam_devperm does?

> I think HAL/PolicyTool/pam_foreground will eventually give us a
> (slow?) solution to problems like this, but it's some way off at the
> moment. Being able to add/revoke permissions with traditional security
> methods (i.e. group membership) requires kernel modification AFAIK.

How do end-user Linux distributions that are supposed to work out of the box
(like ubuntu, fedora, suse) solve this problem? World-rwx for all
user devices? All users added to groups like "audio", "video", ...?

Would it be possible to let all user devices (static or dynamic) be
owned by group "console" with rwx rights, and add/remove the console
user dynamically to/from this group on login/logout? This way
it wouldn't matter whether e.g. the usb stick is plugged in before
or after login.
Wouldn't this solve the problem?


Reply to: