2014/10/16 5:59 "Andrei POPESCU" <andreimpopescu@gmail.com>:
>
> On Mi, 15 oct 14, 09:46:47, The Wanderer wrote:
> >
> > I suspect that the answer is "they just didn't provide the functionality
> > which ConsoleKit, and later systemd-logind, now enable them to provide",
> > but I'm not aware - in a clear-understanding, defined-boundaries sense -
> > of exactly what that functionality is, or of why it would be necessary
> > or otherwise valuable, or of what the problem is which that
> > functionality was intended to address.
>
> A problem that ConsoleKit and logind is trying to address is handling
> permissions to access devices.
>
> Traditionally on *nix machines this was done with user groups, e.g.
> members of 'audio' would have full (read/write) access to all audio
> devices and members of 'video' would have full access to video cards or
> web-cams.
>
> The problem with this approach is that it's not fine-grained enough,
> i.e. it can't distinguish between users logged in locally or via ssh.
> This means Mallory could easily spy on Alice remotely, just by being a
> member of 'audio' and 'video'.
>
> Hope this explains,
> Andrei
Two thoughts that this problem brings to mind --
(1) Why should it matter? Local? Remote? A hole is a hole.
(1.5) How does ssh deal with making connections private? Any clues there?
(2) There are times when I don't want to have to be logged in as an admin user to be able to make an ephemeral group. I've understood that for ten years. When am I going to make the time to construct the package to manage it within the standard unix permissions model?
:-(
Joel Rees
Computer memory is just fancy paper,
CPUs just fancy pens.
All is a stream of text
flowing from the past into the future.