groups better than setgid/setuid, but remember to re-login

To: Debianonians <debian-user@lists.debian.org>
Subject: groups better than setgid/setuid, but remember to re-login
From: Chip Grandits <chipg@frii.com>
Date: Thu, 19 Nov 1998 14:02:58 -0700
Message-id: <[🔎] 36548782.8BAF2382@frii.com>
References: <[🔎] Pine.LNX.3.96.981117214133.16554A-100000@bytebandit.linuxpower.nl> <[🔎] 365434E7.F02C56DA@frii.com> <[🔎] sa7hfvvr80y.fsf@chtorr.cs.sandia.gov>

Gary is correct about both the typo in etc/group (see below if you care)and the
general philosophy of using groups to solve permission issues.
I had tried that at the beginning and made a typical newbie mistake
I did
su root
<password>
adduser chipg audio
exit
<try audio player>
Didn't work!
My (chipg's) new status as a member of audio group doesn't take effect until chipg
logs out
and back in.

Now I follow The Debian Way(TM)
-Chip Grandits

Gary L. Hennigan wrote:

> Chip Grandits <chipg@frii.com> writes:

[...]

> | I've taken the quick and dirty way out with a security hole, because
> | anyone can read
>

[...]

> | Alternately YOU could join the audio group, that way you could use
> | audio devices but
> | other mortal users
> | could not (unless the root similarly grants them the ability) I
> | don't know of a
> | command line utility to add
> | users to groups, simply modify /etc/group (again as root); under
> | default debian 1.3.1
> | there is a line
> | audio:x:29:
> | simply add your user name to make
>
> | audio:x:yourname
> ^^^^^^^^^^^^^^^^^^
> Not quite, you deleted the group number in the line above. Do that and
> you'll be hurtin'. The line should look like:
>
> audio:x:29:yourname
>
> The Debian Way (TM) is indeed to add yourself, and anyone else who you
> want to have access to the audio devices, to the audio group. The
> easiest way to do this is with the adduser command. For example, to
> add joebloe to the audio group simply, as root, do:
>
> adduser joebloe audio
>
> I think this was true under 1.3 as well, but you'd have to check. This
> is much better than going around setting the GID bit on dozens of
> programs that access the device, and almost as simple as changing the
> permission on the device to 666, without losing the security.
>
> The other problem with changing permissions on devices is knowing what
> a device does. There are a number of audio devices that are relevant
> and it's much easier to add yourself to the audio group and let the
> Debian maintainers worry about which devices are relevant to the audio
> group. AND what happens when you upgrade? It's possible the
> permissions will be reverted back when you upgrade and you'll end up
> having to change the permissions all over again.
>
> In short, stick with the method of adding yourself to the group which
> has access to a particular device. It's safe, in terms of security and
> future upgrades, and easy, plus, it is the Debian Way (TM).
>
> Gary

Reply to:

References:
- permissions on /dev/dsp /dev/audio
  - From: Mark Elissen <blitter@gueststar.demon.nl>
- Re: permissions on /dev/dsp /dev/audio
  - From: Chip Grandits <chipg@frii.com>
- Re: permissions on /dev/dsp /dev/audio
  - From: glhenni@cs.sandia.gov (Gary L. Hennigan)

Prev by Date: drv1440.bin for 2740
Next by Date: Re: smbmount via /etc/fstab?
Previous by thread: Re: permissions on /dev/dsp /dev/audio
Next by thread: Problem!
Index(es):
- Date
- Thread