'Re: piece of mind (Re: Moderated posts?)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       debian-user
Subject:    Re: piece of mind (Re: Moderated posts?)
From:       Joel Rees <joel.rees () gmail ! com>
Date:       2014-10-15 22:31:56
Message-ID: CAAr43iPTvyE1PAgLvwdDqyTV22v6mBRQhhS1hDkEciv4LxSWJg () mail ! gmail ! com
[Download RAW message or body]

2014/10/16 5:59 "Andrei POPESCU" <andreimpopescu@gmail.com>:
>
> On Mi, 15 oct 14, 09:46:47, The Wanderer wrote:
> >
> > I suspect that the answer is "they just didn't provide the functionality
> > which ConsoleKit, and later systemd-logind, now enable them to provide",
> > but I'm not aware - in a clear-understanding, defined-boundaries sense -
> > of exactly what that functionality is, or of why it would be necessary
> > or otherwise valuable, or of what the problem is which that
> > functionality was intended to address.
>
> A problem that ConsoleKit and logind is trying to address is handling
> permissions to access devices.
>
> Traditionally on *nix machines this was done with user groups, e.g.
> members of 'audio' would have full (read/write) access to all audio
> devices and members of 'video' would have full access to video cards or
> web-cams.
>
> The problem with this approach is that it's not fine-grained enough,
> i.e. it can't distinguish between users logged in locally or via ssh.
> This means Mallory could easily spy on Alice remotely, just by being a
> member of 'audio' and 'video'.
>
> Hope this explains,
> Andrei

Two thoughts that this problem brings to mind --

(1) Why should it matter? Local? Remote? A hole is a hole.

(1.5) How does ssh deal with making connections private? Any clues there?

(2) There are times when I don't want to have to be logged in as an admin
user to be able to make an ephemeral group. I've understood that for ten
years. When am I going to make the time to construct the package to manage
it within the standard unix permissions model?

:-(

Joel Rees

Computer memory is just fancy paper,
CPUs just fancy pens.
All is a stream of text
flowing from the past into the future.

[Attachment #3 (text/html)]

<p><br>
2014/10/16 5:59 &quot;Andrei POPESCU&quot; &lt;<a \
href="mailto:andreimpopescu@gmail.com">andreimpopescu@gmail.com</a>&gt;:<br> &gt;<br>
&gt; On Mi, 15 oct 14, 09:46:47, The Wanderer wrote:<br>
&gt; &gt;<br>
&gt; &gt; I suspect that the answer is &quot;they just didn&#39;t provide the \
functionality<br> &gt; &gt; which ConsoleKit, and later systemd-logind, now enable \
them to provide&quot;,<br> &gt; &gt; but I&#39;m not aware - in a \
clear-understanding, defined-boundaries sense -<br> &gt; &gt; of exactly what that \
functionality is, or of why it would be necessary<br> &gt; &gt; or otherwise \
valuable, or of what the problem is which that<br> &gt; &gt; functionality was \
intended to address.<br> &gt;<br>
&gt; A problem that ConsoleKit and logind is trying to address is handling<br>
&gt; permissions to access devices.<br>
&gt;<br>
&gt; Traditionally on *nix machines this was done with user groups, e.g.<br>
&gt; members of &#39;audio&#39; would have full (read/write) access to all audio<br>
&gt; devices and members of &#39;video&#39; would have full access to video cards \
or<br> &gt; web-cams.<br>
&gt;<br>
&gt; The problem with this approach is that it&#39;s not fine-grained enough,<br>
&gt; i.e. it can&#39;t distinguish between users logged in locally or via ssh.<br>
&gt; This means Mallory could easily spy on Alice remotely, just by being a<br>
&gt; member of &#39;audio&#39; and &#39;video&#39;.<br>
&gt;<br>
&gt; Hope this explains,<br>
&gt; Andrei</p>
<p>Two thoughts that this problem brings to mind --</p>
<p>(1) Why should it matter? Local? Remote? A hole is a hole.</p>
<p>(1.5) How does ssh deal with making connections private? Any clues there?</p>
<p>(2) There are times when I don&#39;t want to have to be logged in as an admin user \
to be able to make an ephemeral group. I&#39;ve understood that for ten years. When \
am I going to make the time to construct the package to manage it within the standard \
unix permissions model? </p> <p>:-(</p>
<p>Joel Rees</p>
<p>Computer memory is just fancy paper,<br>
CPUs just fancy pens.<br>
All is a stream of text<br>
flowing from the past into the future.</p>


-- 
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: https://lists.debian.org/CAAr43iPTvyE1PAgLvwdDqyTV22v6mBRQhhS1hDkEciv4LxSWJg@mail.gmail.com


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic