FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 07-09-2008, 08:57 PM
Chris Adams
 
Default kill pam_console

Once upon a time, Bill Nottingham <notting@redhat.com> said:
> Chris Adams (cmadams@hiwaay.net) said:
> > I am slow on the up-take here, but how do I use the "HAL-based ACL
> > support" to replace pam_console? For example, on a system with serial
> > ports used for accessing other consoles, I have a 10-serial.perms like:
> >
> > ################################################## ######################
> > <serial>=/dev/ttyS[0-9]* /dev/ttyUSB[0-9]*
> >
> > <console> 0660 <serial> 0660 root.uucp
> > ################################################## ######################
> >
> > How do I replace that?
>
> See /usr/share/hal/fdi/policy/10osvendor/00-thinkfinger.fdi for an
> example of something that does access control. What does lshal
> have for your serial devices?

One is old-style serial and one is USB:

################################################## #######################
udi = '/org/freedesktop/Hal/devices/pnp_PNP0501_0_serial_platform_1'
info.capabilities = {'serial'} (string list)
info.category = 'serial' (string)
info.parent = '/org/freedesktop/Hal/devices/pnp_PNP0501_0' (string)
info.product = '16550A-compatible COM port' (string)
info.udi = '/org/freedesktop/Hal/devices/pnp_PNP0501_0_serial_platform_1' (string)
linux.device_file = '/dev/ttyS1' (string)
linux.hotplug_type = 2 (0x2) (int)
linux.subsystem = 'tty' (string)
linux.sysfs_path = '/sys/class/tty/ttyS1' (string)
serial.device = '/dev/ttyS1' (string)
serial.originating_device = '/org/freedesktop/Hal/devices/pnp_PNP0501_0' (string)
serial.physical_device = '/org/freedesktop/Hal/devices/pnp_PNP0501_0' (string)
serial.port = 1 (0x1) (int)
serial.type = 'platform' (string)

udi = '/org/freedesktop/Hal/devices/usb_device_50d_109_862270_if0_serial_usb_0'
info.capabilities = {'serial'} (string list)
info.category = 'serial' (string)
info.parent = '/org/freedesktop/Hal/devices/usb_device_50d_109_862270_if0' (string)
info.product = 'F5U109/F5U409 PDA Adapter' (string)
info.udi = '/org/freedesktop/Hal/devices/usb_device_50d_109_862270_if0_serial_usb_0' (string)
linux.device_file = '/dev/ttyUSB0' (string)
linux.hotplug_type = 2 (0x2) (int)
linux.subsystem = 'tty' (string)
linux.sysfs_path = '/sys/class/tty/ttyUSB0' (string)
serial.device = '/dev/ttyUSB0' (string)
serial.originating_device = '/org/freedesktop/Hal/devices/usb_device_50d_109_862270_if0' (string)
serial.physical_device = '/org/freedesktop/Hal/devices/usb_device_50d_109_862270_if0' (string)
serial.port = 0 (0x0) (int)
serial.type = 'usb' (string)
################################################## #######################

If I just wanted all serial ports assigned (like in my pam_console bit
above), I guess something like this would work?

################################################## #######################
<?xml version="1.0" encoding="UTF-8"?>
<deviceinfo version="0.2">
<device>
<match key="serial.port" exists="true">
<append key="info.capabilities" type="strlist">access_control</append>
<merge key="access_control.file" type="copy_property">linux.device_file</merge>
<merge key="access_control.type" type="string">serial</merge>
</match>
</device>
</deviceinfo>
################################################## #######################

I have another system where I have multiple USB-to-RS232 adapters; one
is used for outbound terminal sessions (console user gets access) and
one for a modem (no console access). I differentiate between the two
with a udev rule that adds a symlink (e.g. "term" and "modem") and then
set the permissions with a pam_console match on the symlink. Is it
possible to match something set from udev like that (so I don't have two
places to keep track of hardare serial numbers and such for matching)?

--
Chris Adams <cmadams@hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-09-2008, 09:04 PM
Bill Nottingham
 
Default kill pam_console

Chris Adams (cmadams@hiwaay.net) said:
> If I just wanted all serial ports assigned (like in my pam_console bit
> above), I guess something like this would work?
>
> ################################################## #######################
> <?xml version="1.0" encoding="UTF-8"?>
> <deviceinfo version="0.2">
> <device>
> <match key="serial.port" exists="true">
> <append key="info.capabilities" type="strlist">access_control</append>
> <merge key="access_control.file" type="copy_property">linux.device_file</merge>
> <merge key="access_control.type" type="string">serial</merge>
> </match>
> </device>
> </deviceinfo>
> ################################################## #######################

Something along those lines, yes.

> I have another system where I have multiple USB-to-RS232 adapters; one
> is used for outbound terminal sessions (console user gets access) and
> one for a modem (no console access). I differentiate between the two
> with a udev rule that adds a symlink (e.g. "term" and "modem") and then
> set the permissions with a pam_console match on the symlink. Is it
> possible to match something set from udev like that (so I don't have two
> places to keep track of hardare serial numbers and such for matching)?

This is a two-stage process. For examples see:

/usr/share/hal/fdi/information/10freedesktop/10-usb-pda.fdi

followed by:

/usr/share/hal/fdi/policy/10osvendor/20-acl-management.fdi

The first looks at varying information in HAL (such as the driver
being the ipaq driver, the USB vendor/product ids, and then adds
the 'pda' capability to the device. The second file then adds ACL
management to any device with 'pda' capabilities.

So, you'd want to use whatever criteria you're using in udev to
set a capability on the device, and then add the stanza to only
apply ACLs to devices with that capability. (Depending on the
criteria you're using in udev, you might be able to craft the
match without adding a property.)

Bill

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-09-2008, 09:11 PM
"Jeff Spaleta"
 
Default kill pam_console

On Wed, Jul 9, 2008 at 1:04 PM, Bill Nottingham <notting@redhat.com> wrote:
> This is a two-stage process. For examples see:
>
> /usr/share/hal/fdi/information/10freedesktop/10-usb-pda.fdi
>
> followed by:
>
> /usr/share/hal/fdi/policy/10osvendor/20-acl-management.fdi

I that was the first explanation of how to do this sort of thing on
how to generate new hardwar access control rules that I've actually
followed.

Do the changes you have described get automatically picked up so
include new acl controlled hardware definitions in the authorizations
gui?

-jef

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-09-2008, 09:33 PM
Bill Nottingham
 
Default kill pam_console

Jeff Spaleta (jspaleta@gmail.com) said:
> > /usr/share/hal/fdi/information/10freedesktop/10-usb-pda.fdi
> >
> > followed by:
> >
> > /usr/share/hal/fdi/policy/10osvendor/20-acl-management.fdi
>
> I that was the first explanation of how to do this sort of thing on
> how to generate new hardwar access control rules that I've actually
> followed.

Well, at least until David chimes in and tells me I'm doing this wrong.

> Do the changes you have described get automatically picked up so
> include new acl controlled hardware definitions in the authorizations
> gui?

This is independent of PolicyKit - AFAIK, there's no GUIs for this stuff.

Bill

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-09-2008, 09:50 PM
"Jeff Spaleta"
 
Default kill pam_console

On Wed, Jul 9, 2008 at 1:33 PM, Bill Nottingham <notting@redhat.com> wrote:
> This is independent of PolicyKit - AFAIK, there's no GUIs for this stuff.

I thought the Authorization gui in F9 exposed the acl stuff for devices.

Following the pda example you started in the Authorizations gui tree
aka polkit-gnome-authorizations from a terminal cmdline

org
->freedestop
->hal
->device-access
->"Directly access PDA devices"

Doesn't that directly related to the acl settings for the devices
marked with the pda capability?
How would I go about getting another sort of device similarly listed
in the gui under device-access?

What if I wanted to define acls for 'serial' devices similar to what
Chris wants to do, but expose them in the Authorizations gui as
"Directly access Serial devices" similar to how the pda devices are in
fact exposed currently... what's the black magic?

-jef"I actually want to expose a USB to I2C bridge device that you
probably don't have access to, but I won't confuse things by
referencing pedantic niche hardware that you don't have access
to"spaleta

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-09-2008, 10:21 PM
Bill Nottingham
 
Default kill pam_console

Jeff Spaleta (jspaleta@gmail.com) said:
> On Wed, Jul 9, 2008 at 1:33 PM, Bill Nottingham <notting@redhat.com> wrote:
> > This is independent of PolicyKit - AFAIK, there's no GUIs for this stuff.
>
> I thought the Authorization gui in F9 exposed the acl stuff for devices.
>
> Following the pda example you started in the Authorizations gui tree
> aka polkit-gnome-authorizations from a terminal cmdline
>
> org
> ->freedestop
> ->hal
> ->device-access
> ->"Directly access PDA devices"
>
> Doesn't that directly related to the acl settings for the devices
> marked with the pda capability?

Oops, yes it does. Shame on me.

> How would I go about getting another sort of device similarly listed
> in the gui under device-access?

At a minimum, you'd need a policy file similar to
/usr/share/PolicyKit/policy/org.freedesktop.hal.device-access.policy
for the device class. I'm not sure if this needs specific HAL modifications
to add new classes, though. Try it and find out?

Bill

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-09-2008, 11:02 PM
Karel Zak
 
Default kill pam_console

On Wed, Jul 09, 2008 at 03:23:36PM -0400, Bill Nottingham wrote:
> We've carried both pam_console and HAL-based ACL support for a while
> now. It's time to cut the cord and remove pam_console, so we only
> have one way of setting device permissions to worry about.

Right. I'd like to remove a support for Fedora/RHEL specific
'pamconsole' mount option from mount(8). Comments?

Karel

--
Karel Zak <kzak@redhat.com>

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-10-2008, 02:26 AM
Bill Nottingham
 
Default kill pam_console

Karel Zak (kzak@redhat.com) said:
> On Wed, Jul 09, 2008 at 03:23:36PM -0400, Bill Nottingham wrote:
> > We've carried both pam_console and HAL-based ACL support for a while
> > now. It's time to cut the cord and remove pam_console, so we only
> > have one way of setting device permissions to worry about.
>
> Right. I'd like to remove a support for Fedora/RHEL specific
> 'pamconsole' mount option from mount(8). Comments?

Considering:

a) 'user' and 'owner' already exist
b) most any recent desktop isn't doing fstab editing anyway

I'm not sure it's needed.

Bill

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-10-2008, 11:07 AM
Dmitry Butskoy
 
Default kill pam_console

Bill Nottingham wrote:

We've carried both pam_console and HAL-based ACL support for a while
now. It's time to cut the cord and remove pam_console, so we only
have one way of setting device permissions to worry about.



Just in case:

I hope that pam_console will not be removed from the distribution at
all. Besides the permission stuff in its "session" part, it also
contains useful features in "auth" ...



~buc

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-10-2008, 02:08 PM
David Zeuthen
 
Default kill pam_console

On Wed, 2008-07-09 at 15:23 -0400, Bill Nottingham wrote:
> We've carried both pam_console and HAL-based ACL support for a while
> now. It's time to cut the cord and remove pam_console, so we only
> have one way of setting device permissions to worry about.

The plan is actually to move this to ConsoleKit (HAL is going away and
all that etc. etc.) but that's most likely F11 material. So suggest to
hold off this feature for now.

David


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 

Thread Tools




All times are GMT. The time now is 04:21 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org