[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: group ownership of /dev files

also sprach Derek Martin <code@pizzashack.org> [2006.06.23.0017 +0200]:
> Thanks for the tip... this may work, though at a quick glance,
> again, I don't see how this is better than pam_console.

It does not mess with the filesystem for a start.

And no, it won't get rid of the security issues.

> > You could help with modularisation of makedev, which will allow you
> > to specify policies for device files.
> Is udev using makedev, or equivalent? 


> If not, I would think that the better way to go would be to look
> into configuring policies in udev...

You can do that too.

> In particular, it would be nice if whatever is managing the
> devices noticed that the device files exist already, and leave
> them alone if only the permissions and/or ownerships have changed.

By the time udev creates it, the device file does not exist. udev
uses a tmpfs, which is a filesystem in RAM, which is empty after

> > dpkg -P udev
> Any potential gotchas to doing that?  It might be the right
> solution for my purposes...

it might screw up the system(s), but it might also work. You won't
get the benefits from udev anymore, obviously, which include better
control over device naming, permissions (ha!), scripts, hotplugging,

> > you get what you ask for. Now if you're not using devfs but
> > a plain /dev, you should be fine.
> FWIW, I didn't ask for udev.  It appears to be the default... 

What did you install? sarge? No udev default for sarge. But yes,
unfortunately, it will be default in the future.

> Thanks for your response, and thanks to everyone else who
> responded. It looks like a real solution to my problem is going to
> have to wait until I do a little more research, but at least
> I know what to look at now.

There is no solution to your problem, not on a multiuser operating
system. There are plenty of approaches, but none of them cater
against malicious users. If you don't have any of those (haha), then
pam_group is IMHO the best approach.

Please do not send copies of list mail to me; I read the list!
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
SUSE: Soll Unix Sein, Eigentlich.

Attachment: signature.asc
Description: Digital signature (GPG/PGP)

Reply to: