Unless somebody will have persuasive objections I will change it to
group kmem in a future udev upgrade.
--
ciao,
Marco
03-17-2009, 07:56 AM
Stephen Gran
group nvram
This one time, at band camp, Marco d'Itri said:
> Unless somebody will have persuasive objections I will change it to
> group kmem in a future udev upgrade.
This is the thinkpad /dev/nvram stuff, right? I thought for some tpctl
utilities to work, you currently need to be in group nvram. Making that
equivalent to kmem seems unnecessarily broad to me.
Cheers,
--
-----------------------------------------------------------------
| ,'`. Stephen Gran |
| : :' : sgran@debian.org |
| `. `' Debian user, admin, and developer |
| `- http://www.debian.org |
-----------------------------------------------------------------
03-17-2009, 09:30 AM
Holger Levsen
group nvram
Hi Marco,
On Dienstag, 17. März 2009, Marco d'Itri wrote:
> Unless somebody will have persuasive objections I will change it to
> group kmem in a future udev upgrade.
Are you planning to file bugs against affected packages to help the
transition?
How will upgrades (from lenny, etch, ...) be handled?
regards,
Holger
03-17-2009, 09:42 AM
group nvram
On Mar 17, Stephen Gran <sgran@debian.org> wrote:
> This is the thinkpad /dev/nvram stuff, right? I thought for some tpctl
I think so.
The rationale for this change is harmonization with all other
distributions.
> utilities to work, you currently need to be in group nvram. Making that
> equivalent to kmem seems unnecessarily broad to me.
Users must not be in specific groups to access hardware, this is broken
and insecure.
On Mar 17, Holger Levsen <holger@layer-acht.org> wrote:
> Are you planning to file bugs against affected packages to help the
> transition?
I do not know which packages are affected, if any.
> How will upgrades (from lenny, etch, ...) be handled?
This is up to the maintainers of the affected package.
--
ciao,
Marco
03-17-2009, 10:14 AM
Mike Hommey
group nvram
On Tue, Mar 17, 2009 at 11:42:52AM +0100, Marco d'Itri <md@Linux.IT> wrote:
> On Mar 17, Stephen Gran <sgran@debian.org> wrote:
>
> > This is the thinkpad /dev/nvram stuff, right? I thought for some tpctl
> I think so.
>
> The rationale for this change is harmonization with all other
> distributions.
>
> > utilities to work, you currently need to be in group nvram. Making that
> > equivalent to kmem seems unnecessarily broad to me.
> Users must not be in specific groups to access hardware, this is broken
> and insecure.
Like e.g. the audio and video groups ?
Mike
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
03-17-2009, 10:15 AM
Stephen Gran
group nvram
This one time, at band camp, Marco d'Itri said:
> On Mar 17, Stephen Gran <sgran@debian.org> wrote:
> > This is the thinkpad /dev/nvram stuff, right? I thought for some tpctl
> > utilities to work, you currently need to be in group nvram. Making that
> > equivalent to kmem seems unnecessarily broad to me.
>
> Users must not be in specific groups to access hardware, this is broken
> and insecure.
That's the first I've heard that argument - of course you don't give
untrusted users access to hardware, but we've always managed access to
devices with group membership (lp, dialout, etc). Are you proposing
that should change?
Cheers,
--
-----------------------------------------------------------------
| ,'`. Stephen Gran |
| : :' : sgran@debian.org |
| `. `' Debian user, admin, and developer |
| `- http://www.debian.org |
-----------------------------------------------------------------
03-17-2009, 10:26 AM
group nvram
On Mar 17, Stephen Gran <sgran@debian.org> wrote:
> That's the first I've heard that argument - of course you don't give
This is weird, because it has been around for quite a long time.
E.g. cp /bin/bash .; chgrp audio bash; chmod g+s bash
> untrusted users access to hardware, but we've always managed access to
> devices with group membership (lp, dialout, etc). Are you proposing
> that should change?
The rest of the Linux world is:
http://dualstack.ipv6-exp.l.google.com/search?q=policykit .
--
ciao,
Marco
03-17-2009, 10:40 AM
Stephen Gran
group nvram
This one time, at band camp, Marco d'Itri said:
> On Mar 17, Stephen Gran <sgran@debian.org> wrote:
>
> > That's the first I've heard that argument - of course you don't give
> This is weird, because it has been around for quite a long time.
> E.g. cp /bin/bash .; chgrp audio bash; chmod g+s bash
Since you can't do that unless you're already in group audio, I'm not
sure what you're trying to say. The part of my mail you cut did say
that you don't give untrusted users access to these groups.
> > untrusted users access to hardware, but we've always managed access to
> > devices with group membership (lp, dialout, etc). Are you proposing
> > that should change?
> The rest of the Linux world is:
> http://dualstack.ipv6-exp.l.google.com/search?q=policykit .
I am less than impressed with more "solutions" that depend on dbus.
--
-----------------------------------------------------------------
| ,'`. Stephen Gran |
| : :' : sgran@debian.org |
| `. `' Debian user, admin, and developer |
| `- http://www.debian.org |
-----------------------------------------------------------------
Which doesn’t work for audio devices given the poor architecture of
audio APIs.
--
.'`. Debian 5.0 "Lenny" has been released!
: :' :
`. `' Last night, Darth Vader came down from planet Vulcan and told
`- me that if you don't install Lenny, he'd melt your brain.
03-17-2009, 12:06 PM
Bernd Zeimetz
group nvram
Marco d'Itri wrote:
> On Mar 17, Stephen Gran <sgran@debian.org> wrote:
>
>> That's the first I've heard that argument - of course you don't give
> This is weird, because it has been around for quite a long time.
> E.g. cp /bin/bash .; chgrp audio bash; chmod g+s bash
This argument makes as much sense as
cp /bin/bash .; chgrp md bash; chmod g+s bash
Either you're member of a group, then you're allowed to mess with the rights of
the group, or you're not.
>> untrusted users access to hardware, but we've always managed access to
>> devices with group membership (lp, dialout, etc). Are you proposing
>> that should change?
> The rest of the Linux world is:
> http://dualstack.ipv6-exp.l.google.com/search?q=policykit .
Which means I need to run some weird agent to be able to access my printer,
serial ports and similar devices? <irony>That makes so much sense...</irony>.
Please do not try to change common and working things, just because somebody
thinks there's a fance new piece of code which could handle it better. Remember,
there're small machines with limited memory running Debian, where you neither
want to waste memory with an agent nor you want to run everything as root.
The idea behind policykit is not bad, but it should be introduced with care and
not by breaking well working ways of handling access.
group nvram
