[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DE features dependent on Systemd

On 03/12/14 14:46, Svante Signell wrote:
> On Wed, 2014-12-03 at 14:25 +0100, Vincent Bernat wrote:
>> The problem with those groups is that they are not fine grained
>> enough.
> 
> If more granularity is needed, what's hindering introduction of even
> more groups: like an image group and splitting the fb0 to more devices?
> Or even subdirectories like /dev/snd/* for audio etc.

This does not actually solve the same problem as logind's "uaccess", or
ConsoleKit's "udev ACL" (which was an older version of the same general
idea): it just splits it up into a larger number of orthogonal instances
of the same problem, which is that group membership makes a poor
encoding for temporary permissions.

A normal user with no special privileges should be able to access the
webcam on a PC if and only if they are physically sitting at that PC:
they should not be forbidden from using it altogether, but neither
should they be able to log in via ssh and spy on the PC's current user.
Granting privileges based on groups can only reliably give you access
all the time (including ssh or other remote logins) or none of the time;
it cannot give you access only while you are logged in locally.

logind's "uaccess" and ConsoleKit's "udev ACLs" both work by tagging
device nodes with a marker that means "this should be available to
locally-logged-in users"; whenever a user logs in for the first time (as
detected by a PAM module), putting POSIX ACLs on those tagged device
nodes that give access to that user; and whenever a user logs out for
the last time (PAM again), removing those ACLs again. It looks like this:

# file: dev/video0
# owner: root
# group: video
user::rw-
user:smcv:rw-
group::rw-
mask::rw-
other::---

FAQ which someone will bring up at this point unless I specifically
mention it: but what about pam_group?

Answer: anyone with write access to any filesystem that is not mounted
nosuid (let's say it's /var/tmp) can make their temporary group-based
privileges permanent. Suppose I get placed in group video when I log in
locally, but not when I log in via ssh. Then I can do this:

# while logged in locally, and thus granted access to gid video
cp /bin/dash /var/tmp/my-video-shell
chgrp video /var/tmp/my-video-shell
chmod g+s /var/tmp/my-video-shell
# later, via ssh or something
/var/tmp/my-video-shell -c eavesdrop-via-the-webcam &

And yes, in principle we could bind-mount /tmp, /dev/shm, /var/tmp,
/run/lock, /home, ... over themselves to make them nosuid if they are
not already - but that's relatively complex, would "fail open" if we
miss an a+w directory in /srv or something, potentially breaks existing
desired functionality like ikiwiki's optional setuid wrappers, and we
don't need it because we already have at least two working
implementations of the ACL solution.

    S
Reply to: