"console" virtual group for desktop users

"console" virtual group for desktop users

[Matthew Mastracci]

I originally posted this message to Redhat's pam-list, but I didn't
receive any responses.  I'm not certain if these lists are the best
place for it, but I can see possible overlap with some of the Project
Utopia and general Linux Hotplug work and thought it could provoke some
useful discussion here.  

The summary of the message is the replacement of the "console.perms"
style permissions with a "console" group, whose members would be
provided by an nsswitch library.  These members would dynamically update
as users create/kill X sessions, allowing two locally logged in users
with different X sessions to share local devices (ie: /dev/dsp,
/dev/dvd, etc.)

--- Previous Message ---

After having some issues with pam_console applying permissions to some
nvidia* files, I was wondering - would it be better to assign these
devices a group of "console" and use nsswitch to dynamically assign
console users?

I've had to reset the permissions of the device to 777, owner root and
disable the entry in console.perms, but that does allow non-local users
access to these devices.

An nsswitch module could just enumerate the entries in
/var/run/console/* and return them as part of the console group. These
users should then have access to the given console device.

Thoughts?

-- 
Matthew Mastracci <matt@aclaro.com>



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id\x1470&alloc_id638&op=click
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

Re: "console" virtual group for desktop users

[Waldo Bastian]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat April 3 2004 06:58, Matthew Mastracci wrote:
> An nsswitch module could just enumerate the entries in
> /var/run/console/* and return them as part of the console group. These
> users should then have access to the given console device.
>
> Thoughts?

Assume that user A logs in, starts a background process, and logs out again. 
Now user B logs in. The background process of user A would continue to have 
the privileges associated with the console group afaik. That may be a 
problem.

Cheers,
Waldo
- -- 
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
^ bastian@kde.org | Is your software SUSE LINUX READY? | bastian@suse.com
^<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFAbtuQN4pvrENfboIRAkdkAKCdsIM4eMsmmF9dC/ZZWUEyYvzhyACeNhSj
Uk8m+Q6ntSNzx9jkviwmUXQ=g1GO
-----END PGP SIGNATURE-----


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id\x1470&alloc_id638&opÌk
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

Re: "console" virtual group for desktop users

[Matthew Mastracci]

> > An nsswitch module could just enumerate the entries in
> > /var/run/console/* and return them as part of the console group. These
> > users should then have access to the given console device.
> >
> > Thoughts?
> 
> Assume that user A logs in, starts a background process, and logs out again. 
> Now user B logs in. The background process of user A would continue to have 
> the privileges associated with the console group afaik. That may be a 
> problem.

Good point.  I suppose adding and removing ACLs (on a filesystem that
supports it) might be a better solution.

In the mean time, I guess I'll use remove all of the entries from
console.perms, set all of the devices as root.console and keep the
console group definition static with both of my local users.

Have any of the desktop environment groups put any thought into how this
stuff might work long-term?  I'm pretty certain the gdm multiple-login
feature is going to be popular, potentially causing a few headaches like
I'm having (though my case is just two X sessions on Ctrl+Alt+F7/F8).

Thanks for the info,
-- 
Matthew Mastracci <matt@aclaro.com>



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id\x1470&alloc_id638&op=click
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

Re: "console" virtual group for desktop users

[Bill Nottingham]

Matthew Mastracci (matt@aclaro.com) said: 
> I originally posted this message to Redhat's pam-list, but I didn't
> receive any responses.  I'm not certain if these lists are the best
> place for it, but I can see possible overlap with some of the Project
> Utopia and general Linux Hotplug work and thought it could provoke some
> useful discussion here.  
> 
> The summary of the message is the replacement of the "console.perms"
> style permissions with a "console" group, whose members would be
> provided by an nsswitch library.  These members would dynamically update
> as users create/kill X sessions, allowing two locally logged in users
> with different X sessions to share local devices (ie: /dev/dsp,
> /dev/dvd, etc.)

Temporary membersip in a group = permanent membership in a group.
So it's not really a good idea by itself without other restrictions.

Bill


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id\x1470&alloc_id638&op=click
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel