Re: group nvram
On Tue, Mar 17, 2009 at 11:42:52AM +0100, Marco d'Itri wrote:
> On Mar 17, Stephen Gran <firstname.lastname@example.org> wrote:
> > This is the thinkpad /dev/nvram stuff, right? I thought for some tpctl
> I think so.
> The rationale for this change is harmonization with all other
On its own, that's a fairly uninteresting rationale where system groups are
> > utilities to work, you currently need to be in group nvram. Making that
> > equivalent to kmem seems unnecessarily broad to me.
> Users must not be in specific groups to access hardware, this is broken
> and insecure.
No, it's only broken if the users are added to the groups on login with the
assumption that the permissions can be removed at the end of the session.
It's certainly far *more* insecure to add users to the kmem group than to
the nvram group.
But I'm not aware of any reason that users need to access /dev/nvram,
generally. The only tool I know of that uses this interface is
hotkey-setup, which runs a daemon as root to handle polling the nvram state,
so the group permissions don't matter.
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/