Re: gdm/Gnome/KDE and device permissions
[Gernot Salzer]
> what is the standard/canonical way of handling device permissions
> in Debian ("etch" in my case) on desktop PCs running a GUI?
As you probably found out from the replies so far, there is no
standard way. :(
Here are some notes I wrote for Debian Edu. You might find it useful.
Local device access
-------------------
The local user should have access to some of the local devices
(sound, cdrom, etc) after logging in on the console or via
kdm/gdm/xdm/etc, but not when logging in from remote via ssh. There
are as far as I know two ways to make this happen. One way is to
add the local user to the groups needed to access these devices, the
other is to change the permissions on these devices to give access
to the local user. The former is done using pam_group, while the
latter is done using pam_devperm. Both have advantages and
weaknesses.
pam_group
---------
By updating /etc/pam.d/common-auth and /etc/security/group.conf it is
possible to add the logged in user to the grous needed (audio,
floppy, cdrom, plugdev, video). In addition to getting access to
the devices present during login, it also make sure hotplugged
devices like USB sticks work (group membership in plugdev take care
of this).
The problem with this method is that every member of the groups in
question can create a setgid program to gain access to the devices
also when not logged into the machine. This will make it possible
to record from the microphone, read and from the floppy, cdrom and
usb stick, as well as play unwanted sound on other users computers.
It is also possible to start long-running processes in the
background to keep the access privileges to the devices in question.
--- /etc/pam.d/common-auth.orig 2006-10-17 11:25:40.000000000 +0000
+++ /etc/pam.d/common-auth 2006-10-17 11:25:29.000000000 +0000
@@ -7,4 +7,5 @@
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
+auth optional pam_group.so
auth required pam_unix.so nullok_secure
--- /etc/security/group.conf.orig 2006-10-17 11:27:32.000000000 +0000
+++ /etc/security/group.conf 2006-10-17 11:31:43.000000000 +0000
@@ -55,6 +55,8 @@
#xsh; tty* ;*;Al0900-1800;floppy
+*; tty*&!ttyp*; *; Al0000-2400; audio,cdrom,floppy,plugdev,video
+*; :0; *; Al0000-2400; audio,cdrom,floppy,plugdev,video
#
# End of group.conf file
pam_devperm
-----------
By installing libpam-devperm and updating /etc/pam.d/common-sessionn
(and /etc/logindevperm to fix bug #393661 and get access to
/dev/dsp), it is possible to modify the permissions of relevant
devices when a user log in, and reset the permissions when the user
log out. The user of the device is changed to the logged in user,
and the mode is normally set to 0600 granting exclusive access.
The problem with this method is that hotplug devices do not work, as
they are not available when the user is logged in, and the device
ownership is only modified when the user log in. Another problem is
that the user can keep the access privileges for the devices after
he log out by starting long-running processes in the background.
--- /etc/pam.d/common-session.orig 2006-10-17 11:23:21.000000000 +0000
+++ /etc/pam.d/common-session 2006-10-17 10:42:08.000000000 +0000
@@ -7,3 +7,4 @@
# non-interactive). The default is pam_unix.
#
session required pam_unix.so
+session required pam_devperm.so
--- /etc/logindevperm.orig 2006-10-17 10:51:58.000000000 +0000
+++ /etc/logindevperm 2006-10-17 10:53:08.000000000 +0000
@@ -24,7 +24,7 @@
:0 0600 /dev/cdrecorder:/dev/cdrecorder1:/dev/cdrecorder2:/dev/cdrecorder3
:0 0600 /dev/dvd:/dev/dvd1:/dev/dvd2:/dev/dvd3
:0 0600 /dev/zip:/dev/zip1:/dev/zip2:/dev/zip3
-:0 0600 /dev/dsp0:/dev/dsp1:/dev/dsp2:/dev/dsp3
+:0 0600 /dev/dsp:/dev/dsp0:/dev/dsp1:/dev/dsp2:/dev/dsp3
:0 0600 /dev/fd0:/dev/fd0u1440:/dev/fd0h1440:/dev/fd0u720:/dev/fd0h720
:0 0600 /dev/fd1:/dev/fd1u1440:/dev/fd1h1440:/dev/fd1u720:/dev/fd1h720
:0 0600 /dev/sequencer:/dev/sequencer2:/dev/music
Conclusion
----------
I recommend using the pam_group mechanism to get a working hotplug
support, and recommend solving the setgid-issue by adding the nosuid
mount flag to the partitions where users can add files (/home/,
/tmp/, /dev/shm/, /var/lock/), and solving the problem with
long-running processes by running some kind of idle-job killer to
kill long-running processes.
Reply to: