[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

About #974 (Set mode for /dev/dsp to 0666)



Hi!

I'm absolutely unhappy with the solution for #974.
We generate a big security problem while knowing it better.

With the choosen solution it's possible to ssh into the teachers
workstation in the teachers room an access a possibly connected
microphone...

The bugreport shows a way better solution, pam_group.
As we're using this at my workplace I know that it works wonderfull and
also provides more security as only local users will get access to the
special devices.

Here are some patches to fix this situation.
(group-debian-edu.conf to be placed in
SVN://debian-edu/src/debian-edu-config/etc/security)

(I have no maschines to test this and so this is untested, but will
 work to 99,99%, because of this I did not commit it to svn.)

Ciao
Max
-- 
	Follow the white penguin.
##
## Note, to get this to work as it is currently typed you need
##
## 1. to run an application as root
## 2. add the following groups to the /etc/group file:
##		floppy, games, sound
##
#
# *** Please note that giving group membership on a session basis is
# *** NOT inherently secure. If a user can create an executable that
# *** is setgid a group that they are infrequently given membership
# *** of, they can basically obtain group membership any time they
# *** like. Example: games are allowed between the hours of 6pm and 6am
# *** user joe logs in at 7pm writes a small C-program toplay.c that
# *** invokes their favorite shell, compiles it and does
# *** "chgrp games toplay; chmod g+s toplay". They are basically able
# *** to play games any time... You have been warned. AGM
#
# this is an example configuration file for the pam_group module. Its
# syntax is based on that of the pam_time module and (at some point in
# the distant past was inspired by the 'shadow' package)
#
# the syntax of the lines is as follows:
#
#       services;ttys;users;times;groups
#
# white space is ignored and lines maybe extended with '\\n' (escaped
# newlines). From reading these comments, it is clear that
# text following a '#' is ignored to the end of the line.
#
# the first four fields are described in the pam_time directory.
# The only difference for these is how the time field is interpretted:
# it is used to indicate "when" these groups are to be given to the user.
#
# groups
#	The (comma or space separated) list of groups that the user 
#	inherits membership of. These groups are added if the previous
#	fields are satisfied by the user's request
#

#
# Here is a simple example: running 'xsh' on tty* (any ttyXXX device),
# the user 'us' is given access to the floppy (through membership of
# the floppy group)
#

#xsh;tty*&!ttyp*;us;Al0000-2400;floppy
# another example: running 'xsh' on tty* (any ttyXXX device),
# the user 'sword' is given access to games (through membership of
# the sound and play group) after work hours.  (The games group owns
# high-score files and so on, so don't ever give users access to it.)
#

#xsh; tty* ;sword;!Wk0900-1800;sound, play
#xsh; tty* ;*;Al0900-1800;floppy

login;*;*;Al0000-2400;cdrom,floppy,audio,users,dialout,video
kdm;*;*;Al0000-24000;cdrom,floppy,audio,users,dialout,video

#
# End of group.conf file
#
Index: kde-debian-edu
===================================================================
--- kde-debian-edu	(revision 5960)
+++ kde-debian-edu	(working copy)
@@ -4,7 +4,9 @@
 auth       required     pam_env.so
 auth       sufficient   pam_unix.so shadow nullok
 auth       required     pam_ldap.so use_first_pass
+auth       optional     pam_group.so
 
+
 account    sufficient   pam_ldap.so
 account    required     pam_unix.so
 
Index: login-debian-edu
===================================================================
--- login-debian-edu	(revision 5960)
+++ login-debian-edu	(working copy)
@@ -31,7 +31,9 @@
 auth       sufficient pam_unix.so nullok
 
 auth       required   pam_ldap.so use_first_pass
+auth       optional   pam_group.so
 
+
 # This allows certain extra groups to be granted to a user
 # based on things like time of day, tty, service, and user.
 # Please uncomment and edit /etc/security/group.conf if you

Reply to: