Re: group nvram

To: debian-devel@lists.debian.org
Subject: Re: group nvram
From: Bastien ROUCARIES <roucaries.bastien@gmail.com>
Date: Wed, 18 Mar 2009 21:38:11 +0100
Message-id: <[🔎] 195c7a900903181338o326e8bd7o48bb23e7c78b9a52@mail.gmail.com>
In-reply-to: <[🔎] 195c7a900903181123y4b9e97awa7d548f7d44bfab6@mail.gmail.com>
References: <[🔎] 200903171130.35891.holger@layer-acht.org> <[🔎] 20090317013937.GA2973@bongo.bofh.it> <[🔎] 20090317085638.GA30653@www.lobefin.net> <[🔎] 20090317104252.GA4973@bongo.bofh.it> <[🔎] 20090317201956.GB17660@dario.dodds.net> <[🔎] 49C1235D.6060700@bzed.de> <[🔎] 20090318164627.GA18986@dario.dodds.net> <[🔎] 20090318181322.GA19946@bongo.bofh.it> <[🔎] 195c7a900903181123y4b9e97awa7d548f7d44bfab6@mail.gmail.com>

On Wed, Mar 18, 2009 at 7:23 PM, Bastien ROUCARIES
<roucaries.bastien@gmail.com> wrote:
> On Wed, Mar 18, 2009 at 7:13 PM, Marco d'Itri <md@linux.it> wrote:
>> On Mar 18, Steve Langasek <vorlon@debian.org> wrote:
>>
>>> A peek at the source says it uses /proc/acpi/ibm/light.
>> Other people told me that they believe that nowadays all modern
>> thinkpads use a kernel driver.
>>
>> This is the complete list of groups which I'd rather stop using:
>>
>>    fuse (I have no idea about how FUSE works)
>
> This group is important, fuse could lead to local dos.
>
>>    kvm (what are the security implications of access to /dev/kvm?)
>
> Idem local dos due to pinned memory
>
>>    nvram
>>    rdma (infiniband devices)

about this group:
https://bugs.launchpad.net/ubuntu/+source/udev/+bug/256216

Having 0666 permissions would not necessarily be a bad idea, but the
consensus among other distributions is to limit RDMA access to an
"rdma" group so that administrators have some control over who gets
direct hardware access (even though in theory it is safe for anyone,
there is the possibility of untrusted users consuming network
bandwidth at least). Also, RDMA often requires increasing the amount
of locked memory allowed in /etc/security/limits.conf, and doing that
by group "rdma" is convenient as well.

>>    scanner (do SCSI scanners still exist? how are they used?)
>
> scanner is also used for usb device.
>
>>    tss (TPM devices, do select users have a need to access them?)
>
>
> BTW why do you hate this group? They are here in order to give fine
> gained privilege, that is the basis of good security.
>
>> The other major reason to do this is that non-standard groups which are
>> not in /etc/groups break some systems which use LDAP.
>
> Add this group to standard ldap. Acces to harware should be limited by
> policy, and group is a good policy. And a catch all group
> coulddolocaldos is not really a good policy.

BTW instead of arguing about group and something like this could we
create a wiki page on debian wiki about justification of group.
Therefore purpose of every system group will documented. With exemple
of security concern.

Regards

Bastien

Reply to:

Follow-Ups:
- Re: group nvram
  - From: Bastien ROUCARIES <roucaries.bastien@gmail.com>

References:
- Re: group nvram
  - From: Holger Levsen <holger@layer-acht.org>
- group nvram
  - From: md@Linux.IT (Marco d'Itri)
- Re: group nvram
  - From: Stephen Gran <sgran@debian.org>
- Re: group nvram
  - From: md@Linux.IT (Marco d'Itri)
- Re: group nvram
  - From: Steve Langasek <vorlon@debian.org>
- Re: group nvram
  - From: Bernd Zeimetz <bernd@bzed.de>
- Re: group nvram
  - From: Steve Langasek <vorlon@debian.org>
- Re: group nvram
  - From: md@Linux.IT (Marco d'Itri)
- Re: group nvram
  - From: Bastien ROUCARIES <roucaries.bastien@gmail.com>

Prev by Date: Re: Environment variables, debian/rules and dpkg-buildpackage
Next by Date: Re: removing unmaintained (unused?) X input drivers
Previous by thread: Re: group nvram
Next by thread: Re: group nvram
Index(es):
- Date
- Thread