Adding users to plugdev dynamically
Guys,
Robert McQueen suggested adding users dynamically to the plugdev on login with
pam_group rather than adding all users to this group. There are several
situations reasons why this would be beneficial.
* Our users are bound to forget to add any new user they create to this group
(among others including audio) leading to an increase in bug reports and
frustrated users. This could be resolved by making the g-v-m warn that the user
is not in the plugdev group when it is run (if it does not already do this).
* In a network environment where the authentication and group membership is
specified by NIS/ldap/etc, this could cause issues if there are certain machines
where the removal media might be private, or the system acts as an individual's
workstation but is also accessible remotely.
In particular a problem could arise where a malicous user logs into the system
remotely, via ssh, and starts a process that monitors for the insertion of a usb
keystick, and upon insertion mounts and gains control of this stick. This would
either be a DoS and prevent the user logged in directly at the workstation from
using and mounting it. Or worse this could lead to information leakage and if
that device is being used to store an ssh/rootplug/gpg key then there is a real
security risk.
All these problems would be avoided if the pam configuration files for say
gdm/xdm/console logins automatically added the user to the group.
Cheers,
Rob
--
Rob 'robster' Bradford
http://robster.org.uk
Reply to: