On Wed, 11 Oct 2006 13:08:27 +0200, Gernot Salzer wrote: > It seems that users have to be added to group "audio" > in order to be able to access audio devices, group "video" to access > video devices, "cdrom" to access cdrom, and so on. Or did I miss some > setting during installation of etch? > > Having to add users to particular groups is not reasonable in a > desktop setting. There, one would like to have the current user > at the console (logged in via gdm or similar) to be the one with > exclusive rights on local devices (fixed ones like audio and video > as well as variable ones like external usb devices).
I don't think it's possible to arrange for _exclusive_ access. Once a user has been granted access to a group it is not really possible to revoke the grant. > Part of the problem can be solved by using libpam-permdev: > it handles well fixed builtin devices like audio, video, cdrom, > but fails with dynamic devices like usb sticks (the pam module > is only active during login and therefore misses dynamic devices > plugged in during the session). > Moreover, since the module is not installed automatically with gdm, > it doesn't seem to be the intended solution. There is also pam_group which seems to do the same thing--adds users to groups depending on their name, login method and time of day. > For dynamic devices I haven't found a solution yet. Autodetection > and automounting of e.g. usb sticks works with gnome, if there are > entries in /etc/fstab. However, such entries are not reasonable > since one doesn't know in advance which devices are plugged in > in which order. Since groups are only set when a user logs in it's not possible to e.g., add the user to the plugdev group when they plug in a USB stick. You'd have to add them to plugdev when they log in. I think HAL/PolicyTool/pam_foreground will eventually give us a (slow?) solution to problems like this, but it's some way off at the moment. Being able to add/revoke permissions with traditional security methods (i.e. group membership) requires kernel modification AFAIK. -- Sam Morris http://robots.org.uk/ PGP key id 1024D/5EA01078 3412 EA18 1277 354B 991B C869 B219 7FDB 5EA0 1078 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
