Re: group nvram
On Wed, Mar 18, 2009 at 7:13 PM, Marco d'Itri <md@linux.it> wrote:
> On Mar 18, Steve Langasek <vorlon@debian.org> wrote:
>
>> A peek at the source says it uses /proc/acpi/ibm/light.
> Other people told me that they believe that nowadays all modern
> thinkpads use a kernel driver.
>
> This is the complete list of groups which I'd rather stop using:
>
> fuse (I have no idea about how FUSE works)
This group is important, fuse could lead to local dos.
> kvm (what are the security implications of access to /dev/kvm?)
Idem local dos due to pinned memory
> nvram
> rdma (infiniband devices)
> scanner (do SCSI scanners still exist? how are they used?)
scanner is also used for usb device.
> tss (TPM devices, do select users have a need to access them?)
BTW why do you hate this group? They are here in order to give fine
gained privilege, that is the basis of good security.
> The other major reason to do this is that non-standard groups which are
> not in /etc/groups break some systems which use LDAP.
Add this group to standard ldap. Acces to harware should be limited by
policy, and group is a good policy. And a catch all group
coulddolocaldos is not really a good policy.
Bastien
Reply to: