[prev in list] [next in list] [prev in thread] [next in thread]
List: debian-user
Subject: Re: piece of mind (Re: Moderated posts?)
From: Joel Rees <joel.rees () gmail ! com>
Date: 2014-10-15 22:31:56
Message-ID: CAAr43iPTvyE1PAgLvwdDqyTV22v6mBRQhhS1hDkEciv4LxSWJg () mail ! gmail ! com
[Download RAW message or body]
2014/10/16 5:59 "Andrei POPESCU" <andreimpopescu@gmail.com>:
>
> On Mi, 15 oct 14, 09:46:47, The Wanderer wrote:
> >
> > I suspect that the answer is "they just didn't provide the functionality
> > which ConsoleKit, and later systemd-logind, now enable them to provide",
> > but I'm not aware - in a clear-understanding, defined-boundaries sense -
> > of exactly what that functionality is, or of why it would be necessary
> > or otherwise valuable, or of what the problem is which that
> > functionality was intended to address.
>
> A problem that ConsoleKit and logind is trying to address is handling
> permissions to access devices.
>
> Traditionally on *nix machines this was done with user groups, e.g.
> members of 'audio' would have full (read/write) access to all audio
> devices and members of 'video' would have full access to video cards or
> web-cams.
>
> The problem with this approach is that it's not fine-grained enough,
> i.e. it can't distinguish between users logged in locally or via ssh.
> This means Mallory could easily spy on Alice remotely, just by being a
> member of 'audio' and 'video'.
>
> Hope this explains,
> Andrei
Two thoughts that this problem brings to mind --
(1) Why should it matter? Local? Remote? A hole is a hole.
(1.5) How does ssh deal with making connections private? Any clues there?
(2) There are times when I don't want to have to be logged in as an admin
user to be able to make an ephemeral group. I've understood that for ten
years. When am I going to make the time to construct the package to manage
it within the standard unix permissions model?
:-(
Joel Rees
Computer memory is just fancy paper,
CPUs just fancy pens.
All is a stream of text
flowing from the past into the future.
[Attachment #3 (text/html)]
<p><br>
2014/10/16 5:59 "Andrei POPESCU" <<a \
href="mailto:andreimpopescu@gmail.com">andreimpopescu@gmail.com</a>>:<br> ><br>
> On Mi, 15 oct 14, 09:46:47, The Wanderer wrote:<br>
> ><br>
> > I suspect that the answer is "they just didn't provide the \
functionality<br> > > which ConsoleKit, and later systemd-logind, now enable \
them to provide",<br> > > but I'm not aware - in a \
clear-understanding, defined-boundaries sense -<br> > > of exactly what that \
functionality is, or of why it would be necessary<br> > > or otherwise \
valuable, or of what the problem is which that<br> > > functionality was \
intended to address.<br> ><br>
> A problem that ConsoleKit and logind is trying to address is handling<br>
> permissions to access devices.<br>
><br>
> Traditionally on *nix machines this was done with user groups, e.g.<br>
> members of 'audio' would have full (read/write) access to all audio<br>
> devices and members of 'video' would have full access to video cards \
or<br> > web-cams.<br>
><br>
> The problem with this approach is that it's not fine-grained enough,<br>
> i.e. it can't distinguish between users logged in locally or via ssh.<br>
> This means Mallory could easily spy on Alice remotely, just by being a<br>
> member of 'audio' and 'video'.<br>
><br>
> Hope this explains,<br>
> Andrei</p>
<p>Two thoughts that this problem brings to mind --</p>
<p>(1) Why should it matter? Local? Remote? A hole is a hole.</p>
<p>(1.5) How does ssh deal with making connections private? Any clues there?</p>
<p>(2) There are times when I don't want to have to be logged in as an admin user \
to be able to make an ephemeral group. I've understood that for ten years. When \
am I going to make the time to construct the package to manage it within the standard \
unix permissions model? </p> <p>:-(</p>
<p>Joel Rees</p>
<p>Computer memory is just fancy paper,<br>
CPUs just fancy pens.<br>
All is a stream of text<br>
flowing from the past into the future.</p>
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: https://lists.debian.org/CAAr43iPTvyE1PAgLvwdDqyTV22v6mBRQhhS1hDkEciv4LxSWJg@mail.gmail.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic