[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: handling group membership in and outside d-i

Le mercredi 04 mars 2009 à 17:55 +0100, Petter Reinholdtsen a écrit :
> Personally, I believe adding users to these groups at install time is
> the wrong approach, and believe the only scalable way to handle this
> is with policykit like features.  Then the group membership is handled
> dynamically at login time, and every console user get the expected
> privileges.

ConsoleKit and PolicyKit cannot solve all use cases unless the whole
stack is updated. This works very nicely for things like HAL: the device
is handled purely by the process running as root, and the ability to
talk to this process is controlled by the console access. However, for
e.g. audio access this cannot work unless all audio playback goes
through a process running as a privileged user. With the current APIs,
users need to be able to access the devices directly, and these are
privileges you cannot revoke.

> > In short....the first created user *should* be in powerdev. If it is
> > not....then there's a bug in user-setup (or somewhere else...).
> I believe this code should be dropped from d-i, and policykit related
> packages using pam_group should be installed instead.

Using things like pam_console or pam_group should not become our default
policy, unless we at least ensure /home, /var and /tmp are mounted
nosuid – and it would be better with the ability to revoke the
permissions on the open devices as well.

There is ongoing work in the kernel to finally add session support in
it, so maybe something good will come out of it, but otherwise this is
still the same mess.

 .''`.      Debian 5.0 "Lenny" has been released!
: :' :
`. `'   Last night, Darth Vader came down from planet Vulcan and told
  `-    me that if you don't install Lenny, he'd melt your brain.

Attachment: signature.asc
Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=

Reply to: