FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 03-17-2009, 12:39 AM
 
Default group nvram

Unless somebody will have persuasive objections I will change it to
group kmem in a future udev upgrade.

--
ciao,
Marco
 
Old 03-17-2009, 07:56 AM
Stephen Gran
 
Default group nvram

This one time, at band camp, Marco d'Itri said:
> Unless somebody will have persuasive objections I will change it to
> group kmem in a future udev upgrade.

This is the thinkpad /dev/nvram stuff, right? I thought for some tpctl
utilities to work, you currently need to be in group nvram. Making that
equivalent to kmem seems unnecessarily broad to me.

Cheers,
--
-----------------------------------------------------------------
| ,'`. Stephen Gran |
| : :' : sgran@debian.org |
| `. `' Debian user, admin, and developer |
| `- http://www.debian.org |
-----------------------------------------------------------------
 
Old 03-17-2009, 09:30 AM
Holger Levsen
 
Default group nvram

Hi Marco,

On Dienstag, 17. Mrz 2009, Marco d'Itri wrote:
> Unless somebody will have persuasive objections I will change it to
> group kmem in a future udev upgrade.

Are you planning to file bugs against affected packages to help the
transition?

How will upgrades (from lenny, etch, ...) be handled?


regards,
Holger
 
Old 03-17-2009, 09:42 AM
 
Default group nvram

On Mar 17, Stephen Gran <sgran@debian.org> wrote:

> This is the thinkpad /dev/nvram stuff, right? I thought for some tpctl
I think so.

The rationale for this change is harmonization with all other
distributions.

> utilities to work, you currently need to be in group nvram. Making that
> equivalent to kmem seems unnecessarily broad to me.
Users must not be in specific groups to access hardware, this is broken
and insecure.


On Mar 17, Holger Levsen <holger@layer-acht.org> wrote:

> Are you planning to file bugs against affected packages to help the
> transition?
I do not know which packages are affected, if any.

> How will upgrades (from lenny, etch, ...) be handled?
This is up to the maintainers of the affected package.

--
ciao,
Marco
 
Old 03-17-2009, 10:14 AM
Mike Hommey
 
Default group nvram

On Tue, Mar 17, 2009 at 11:42:52AM +0100, Marco d'Itri <md@Linux.IT> wrote:
> On Mar 17, Stephen Gran <sgran@debian.org> wrote:
>
> > This is the thinkpad /dev/nvram stuff, right? I thought for some tpctl
> I think so.
>
> The rationale for this change is harmonization with all other
> distributions.
>
> > utilities to work, you currently need to be in group nvram. Making that
> > equivalent to kmem seems unnecessarily broad to me.
> Users must not be in specific groups to access hardware, this is broken
> and insecure.

Like e.g. the audio and video groups ?

Mike


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 03-17-2009, 10:15 AM
Stephen Gran
 
Default group nvram

This one time, at band camp, Marco d'Itri said:
> On Mar 17, Stephen Gran <sgran@debian.org> wrote:
> > This is the thinkpad /dev/nvram stuff, right? I thought for some tpctl
> > utilities to work, you currently need to be in group nvram. Making that
> > equivalent to kmem seems unnecessarily broad to me.
>
> Users must not be in specific groups to access hardware, this is broken
> and insecure.

That's the first I've heard that argument - of course you don't give
untrusted users access to hardware, but we've always managed access to
devices with group membership (lp, dialout, etc). Are you proposing
that should change?

Cheers,
--
-----------------------------------------------------------------
| ,'`. Stephen Gran |
| : :' : sgran@debian.org |
| `. `' Debian user, admin, and developer |
| `- http://www.debian.org |
-----------------------------------------------------------------
 
Old 03-17-2009, 10:26 AM
 
Default group nvram

On Mar 17, Stephen Gran <sgran@debian.org> wrote:

> That's the first I've heard that argument - of course you don't give
This is weird, because it has been around for quite a long time.
E.g. cp /bin/bash .; chgrp audio bash; chmod g+s bash

> untrusted users access to hardware, but we've always managed access to
> devices with group membership (lp, dialout, etc). Are you proposing
> that should change?
The rest of the Linux world is:
http://dualstack.ipv6-exp.l.google.com/search?q=policykit .

--
ciao,
Marco
 
Old 03-17-2009, 10:40 AM
Stephen Gran
 
Default group nvram

This one time, at band camp, Marco d'Itri said:
> On Mar 17, Stephen Gran <sgran@debian.org> wrote:
>
> > That's the first I've heard that argument - of course you don't give
> This is weird, because it has been around for quite a long time.
> E.g. cp /bin/bash .; chgrp audio bash; chmod g+s bash

Since you can't do that unless you're already in group audio, I'm not
sure what you're trying to say. The part of my mail you cut did say
that you don't give untrusted users access to these groups.

> > untrusted users access to hardware, but we've always managed access to
> > devices with group membership (lp, dialout, etc). Are you proposing
> > that should change?
> The rest of the Linux world is:
> http://dualstack.ipv6-exp.l.google.com/search?q=policykit .

I am less than impressed with more "solutions" that depend on dbus.
--
-----------------------------------------------------------------
| ,'`. Stephen Gran |
| : :' : sgran@debian.org |
| `. `' Debian user, admin, and developer |
| `- http://www.debian.org |
-----------------------------------------------------------------
 
Old 03-17-2009, 10:51 AM
Josselin Mouette
 
Default group nvram

Le mardi 17 mars 2009 * 12:26 +0100, Marco d'Itri a écrit :
> > untrusted users access to hardware, but we've always managed access to
> > devices with group membership (lp, dialout, etc). Are you proposing
> > that should change?
> The rest of the Linux world is:
> http://dualstack.ipv6-exp.l.google.com/search?q=policykit .

Which doesn’t work for audio devices given the poor architecture of
audio APIs.

--
.'`. Debian 5.0 "Lenny" has been released!
: :' :
`. `' Last night, Darth Vader came down from planet Vulcan and told
`- me that if you don't install Lenny, he'd melt your brain.
 
Old 03-17-2009, 12:06 PM
Bernd Zeimetz
 
Default group nvram

Marco d'Itri wrote:
> On Mar 17, Stephen Gran <sgran@debian.org> wrote:
>
>> That's the first I've heard that argument - of course you don't give
> This is weird, because it has been around for quite a long time.
> E.g. cp /bin/bash .; chgrp audio bash; chmod g+s bash

This argument makes as much sense as
cp /bin/bash .; chgrp md bash; chmod g+s bash
Either you're member of a group, then you're allowed to mess with the rights of
the group, or you're not.

>> untrusted users access to hardware, but we've always managed access to
>> devices with group membership (lp, dialout, etc). Are you proposing
>> that should change?
> The rest of the Linux world is:
> http://dualstack.ipv6-exp.l.google.com/search?q=policykit .

Which means I need to run some weird agent to be able to access my printer,
serial ports and similar devices? <irony>That makes so much sense...</irony>.
Please do not try to change common and working things, just because somebody
thinks there's a fance new piece of code which could handle it better. Remember,
there're small machines with limited memory running Debian, where you neither
want to waste memory with an agent nor you want to run everything as root.

The idea behind policykit is not bad, but it should be introduced with care and
not by breaking well working ways of handling access.

--
Bernd Zeimetz Debian GNU/Linux Developer
GPG Fingerprint: 06C8 C9A2 EAAD E37E 5B2C BE93 067A AD04 C93B FF79


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 03:52 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org