About #974 (Set mode for /dev/dsp to 0666)
Hi!
I'm absolutely unhappy with the solution for #974.
We generate a big security problem while knowing it better.
With the choosen solution it's possible to ssh into the teachers
workstation in the teachers room an access a possibly connected
microphone...
The bugreport shows a way better solution, pam_group.
As we're using this at my workplace I know that it works wonderfull and
also provides more security as only local users will get access to the
special devices.
Here are some patches to fix this situation.
(group-debian-edu.conf to be placed in
SVN://debian-edu/src/debian-edu-config/etc/security)
(I have no maschines to test this and so this is untested, but will
work to 99,99%, because of this I did not commit it to svn.)
Ciao
Max
--
Follow the white penguin.
##
## Note, to get this to work as it is currently typed you need
##
## 1. to run an application as root
## 2. add the following groups to the /etc/group file:
## floppy, games, sound
##
#
# *** Please note that giving group membership on a session basis is
# *** NOT inherently secure. If a user can create an executable that
# *** is setgid a group that they are infrequently given membership
# *** of, they can basically obtain group membership any time they
# *** like. Example: games are allowed between the hours of 6pm and 6am
# *** user joe logs in at 7pm writes a small C-program toplay.c that
# *** invokes their favorite shell, compiles it and does
# *** "chgrp games toplay; chmod g+s toplay". They are basically able
# *** to play games any time... You have been warned. AGM
#
# this is an example configuration file for the pam_group module. Its
# syntax is based on that of the pam_time module and (at some point in
# the distant past was inspired by the 'shadow' package)
#
# the syntax of the lines is as follows:
#
# services;ttys;users;times;groups
#
# white space is ignored and lines maybe extended with '\\n' (escaped
# newlines). From reading these comments, it is clear that
# text following a '#' is ignored to the end of the line.
#
# the first four fields are described in the pam_time directory.
# The only difference for these is how the time field is interpretted:
# it is used to indicate "when" these groups are to be given to the user.
#
# groups
# The (comma or space separated) list of groups that the user
# inherits membership of. These groups are added if the previous
# fields are satisfied by the user's request
#
#
# Here is a simple example: running 'xsh' on tty* (any ttyXXX device),
# the user 'us' is given access to the floppy (through membership of
# the floppy group)
#
#xsh;tty*&!ttyp*;us;Al0000-2400;floppy
# another example: running 'xsh' on tty* (any ttyXXX device),
# the user 'sword' is given access to games (through membership of
# the sound and play group) after work hours. (The games group owns
# high-score files and so on, so don't ever give users access to it.)
#
#xsh; tty* ;sword;!Wk0900-1800;sound, play
#xsh; tty* ;*;Al0900-1800;floppy
login;*;*;Al0000-2400;cdrom,floppy,audio,users,dialout,video
kdm;*;*;Al0000-24000;cdrom,floppy,audio,users,dialout,video
#
# End of group.conf file
#
Index: kde-debian-edu
===================================================================
--- kde-debian-edu (revision 5960)
+++ kde-debian-edu (working copy)
@@ -4,7 +4,9 @@
auth required pam_env.so
auth sufficient pam_unix.so shadow nullok
auth required pam_ldap.so use_first_pass
+auth optional pam_group.so
+
account sufficient pam_ldap.so
account required pam_unix.so
Index: login-debian-edu
===================================================================
--- login-debian-edu (revision 5960)
+++ login-debian-edu (working copy)
@@ -31,7 +31,9 @@
auth sufficient pam_unix.so nullok
auth required pam_ldap.so use_first_pass
+auth optional pam_group.so
+
# This allows certain extra groups to be granted to a user
# based on things like time of day, tty, service, and user.
# Please uncomment and edit /etc/security/group.conf if you
Reply to: