[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: group nvram



On Wed, Mar 18, 2009 at 7:13 PM, Marco d'Itri <md@linux.it> wrote:
> On Mar 18, Steve Langasek <vorlon@debian.org> wrote:
>
>> A peek at the source says it uses /proc/acpi/ibm/light.
> Other people told me that they believe that nowadays all modern
> thinkpads use a kernel driver.
>
> This is the complete list of groups which I'd rather stop using:
>
>    fuse (I have no idea about how FUSE works)

This group is important, fuse could lead to local dos.

>    kvm (what are the security implications of access to /dev/kvm?)

Idem local dos due to pinned memory

>    nvram
>    rdma (infiniband devices)
>    scanner (do SCSI scanners still exist? how are they used?)

scanner is also used for usb device.

>    tss (TPM devices, do select users have a need to access them?)


BTW why do you hate this group? They are here in order to give fine
gained privilege, that is the basis of good security.

> The other major reason to do this is that non-standard groups which are
> not in /etc/groups break some systems which use LDAP.

Add this group to standard ldap. Acces to harware should be limited by
policy, and group is a good policy. And a catch all group
coulddolocaldos is not really a good policy.

Bastien


Reply to: