On 02/04/2014 10:59 PM, Aleksandar Kuktin wrote: >> On Tue, 04 Feb 2014 21:35:03 +0100 >> "Armin K." <kre...@email.com> wrote: > >> If an user logs via SSH or VNC or whatever that's not a "real >> console", logind won't grant such users permissions to use video >> card, audio device, cdrom, usb sticks, etc. I, for one, wouldn't want >> someone to access my cdrom device when he logs in remotely as a >> different user. > > Now, the big problem with this from a system design perspective is > that, theoretically, the system should be unified. The CD or USB stick > or whatever gets mounted on the file tree and, theoretically, all users > should have access to that part of the file tree, barring any > file access permission violations. > > Same goes with other devices/resources present on the system. >
Yes, that is actually how it was before. Now udisks and logind handle that usb stick that was mounted through graphical session is only readable by that very same session using all kinds of ACL's or what not. Same goes for all device nodes that are "critical" to a single session. That's why you don't need to be a member of video or audio or whatever group to access such device nodes when you use logind. You have the permission to use the display through filesystem ACL's, and ACL's make sure that only local session will get to read the file that was "tagged" as such. Interesting design, I don't really understand it much. The ConsoleKit had the issue you mentioned, but logind managed to fix it (for some values of fix it). -- Note: My last name is not Krejzi. -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
