[ConsoleKit] Permissions with consolekit and gdm
Kay Sievers
kay.sievers at vrfy.org
Fri Jul 2 00:06:56 PDT 2010
On Fri, Jul 2, 2010 at 08:45, Christoph Pleger
<Christoph.Pleger at cs.tu-dortmund.de> wrote:
> I have been using pam_devperm.so for a long time. pam_devperm.so is a
> PAM module that, with my configuration, changes the ownerships and
> permissions of some device nodes in /dev when a user logs in on :0, so
> that the device nodes belong to that user and get permissions 600.
>
> Now I realized that if consolekit is installed and additionally gdm is
> used as display manager, the permissions of the device nodes are set to
> 600, but then they are reset to 660.
>
> What does consolekit do that causes the permissions to be changed if
> gdm is used as display manager?
It's probably udev which re-sets the permissions to the configured
setting when something changes and a device event is handled.
Changing primary ownership of device nodes to setting other than the
ones specified in udev rules is not supported, udev will always
restore the old setting with the next event for this device.
Seems, this PAM module can not reliably be used with udev systems. You
have to apply additional ACLs to device nodes, and not touch any
owner, group, mode -- or alternatively write-out corresponding
temporary udev rules at the same time you change the primary settings.
Udev itself grants locally logged-in users access to some devices
based on ConsoleKit information:
http://git.kernel.org/?p=linux/hotplug/udev.git;a=blob;f=extras/udev-acl/70-acl.rules;hb=HEAD
You might want to extend that locally to your needs, and no longer use
the PAM module.
Kay
More information about the ConsoleKit
mailing list