On Tue, Dec 29, 2020 at 11:09:44PM +0100, Mark Kettenis wrote:
> > Date: Tue, 29 Dec 2020 15:24:58 +0100
> > From: Marcus Glocker <mar...@nazgul.ch>
> >
> > Now that we have a switch in place with kern.video.record which requires
> > initial root access to enable video recording, I want propose the idea
> > of making the /dev/video* devices accessible to users who are a member
> > of the 'video' group:
> >
> > lrwxr-xr-x 1 root wheel 6 Dec 29 12:38 video -> video0
> > crw-rw---- 1 root video 44, 0 Dec 29 12:38 video0
> > crw-rw---- 1 root video 44, 1 Dec 29 12:38 video1
> >
> > With this we would enable a default setup which avoids running
> > video programs as root, or pushing people to manually tweak the
> > /dev/video* permissions.
> >
> > In this diff I'm re-using group id 6, which was the first free one
> > found. I'm not sure if this is the right approach.
> >
> > What do you think?
>
> How useful is this really? In the context of laptop cameras, this
> does allow users in that group to spy on eachother. So here using
> fbtab(5) and /etc/X11/xdm/{Give|Take}Console to chown the device might
> make more sense.
>
> There might be other contexts where your group-based approach might
> make more sense. But this might interfere with login_fbtab(3). What
> did you have in mind?
I'm just discussing the fbtab(5) approach with Theo, who had the same
suggestion.
I currently just don't understand how fbtab(5) can play nice with
xenodm(1). Trying to wrap my head around it ...
