Making more groups and removing 32 groups limit.

To: debian-user@lists.debian.org
Subject: Making more groups and removing 32 groups limit.
From: Sami Dalouche <samid@ifrance.com>
Date: Tue, 6 Jul 1999 15:27:21 +0200
Message-id: <[🔎] 19990706152721.A21008@pingoo.dhis.org>

There is about a hundred of devices in /dev 
(ls /dev/* | wc -l returns me 1016) and debian provides only 40 groups.

It shows that an admin doesn't have a fine control of distributing tasks to
some other users w/o giving too much power.

For example, to give access to a SCSI HD to a particular user, an admin
must do
addgroup <user> disk

and the user is able to mofify 444 devices (ls -l /dev/* | grep disk | wc -l)
which is too much. So, to do a secure thing, the sysadmin must play with
chown & chgrp on a lot of device which isn't clear. 

Another example :
I've a scsi scanner which is compatible with sane and everyone knows that a
scanner uses /dev/sg*
Here are my /dev/sg* :

crw-------   1 root     root      21,   0 Jul 21  1998 /dev/sg0
crw-------   1 root     root      21,   1 Jul 21  1998 /dev/sg1
crw-------   1 root     root      21,   2 Jul 21  1998 /dev/sg2
crw-------   1 root     root      21,   3 Jul 21  1998 /dev/sg3
crw-------   1 root     root      21,   4 Jul 21  1998 /dev/sg4
crw-------   1 root     root      21,   5 Jul 21  1998 /dev/sg5
crw-------   1 root     root      21,   6 Jul 21  1998 /dev/sg6
crw-------   1 root     root      21,   7 Jul 21  1998 /dev/sg7

So, only root is able to use these device and if I want to scan as a simple
user, I must do as root (my scanner is /dev/sg1)

addgroup sg
chown root.sg /dev/sg*
chmod 660 /dev/sg*
addgroup <user> sg


and it should work.

But I think that this method isn't clean because we change the Debian
defaults and Debian should be adapted to the software it distributes.


OK, you can say that it's the admin task but it would be more clean to do
this and the admin can't do everything. For example, if the dpkg
database.... would be like an email spool, owned by a group called pkg for
example, root could give the package management to a specific user. 
For now, even if the admin does 
addgroup pkg
chown -R root.pkg /var/lib/dpkg
chmod -R g+....

dpkg will say that it needs root.

What I say is maybe stupid but it would be really simpler et efficient to
divide the system into a multitude of groups.

I know that a user can't be part of more than 32 groups too, so it's
impossible to make many groups.

As a result, the only thing to do, I think, is to remove the 32 groups per
user limit and make the more groups we can, associating the rights to these
groups.

-- 
|    .                               ICQ      : 25529539
|    | |\  | |  | \  /               AIM      : linhax
|___ | |  \| |__| /  \               IRC nick : linhax
Sami Dalouche : samid@ifrance.com    DHIS     : pingoo.dhis.org

Reply to:

Follow-Ups:
- Re: Making more groups and removing 32 groups limit.
  - From: Carl Mummert <mummert@cs.wcu.edu>

Prev by Date: KDE : why not in Debian?
Next by Date: Re: Thanks
Previous by thread: Re: KDE : why not in Debian?
Next by thread: Re: Making more groups and removing 32 groups limit.
Index(es):
- Date
- Thread