consolekit and user groups

[Yan Seiner]

Scott James Remnant wrote:
> On Wed, 2009-01-21 at 07:07 -0800, Yan Seiner wrote:
>
>   
>> My concept has been to assign all those resources to a group: seatX.  
>> When user userX logs in, he is made a member of group seatX, and has 
>> access to those resources.
>>
>>     
> You do not want to do this.
>
> Group access is forever; once the user is in seat1, they can be
> effectively assumed to be forever on seat1.  If they should subsequently
> sit in seat2, they're now basically in seat1 and seat2 simultaneously.
>
> The preferred method is that ACLs are used on the device nodes.  HAL,
> using PK/CK, will add ACLs for the devices based on who is at the seat.
>
>
> For example, here's my cdrom device:
>
> brw-rw----+ 1 root cdrom 11, 1 2009-01-17 15:18 /dev/scd1
>
> The "cdrom" group is for _system_software_ (ie. daemons) that routinely
> access the device, users should NOT be placed in the group.
>
> Note the "+" on the end of the permissions, that means there are ACLs
> that apply.
>
> quest scott% getfacl /dev/scd1
> getfacl: Removing leading '/' from absolute path names
> # file: dev/scd1
> # owner: root
> # group: cdrom
> user::rw-
> user:scott:rw-
> group::rw-
> mask::rw-
> other::---
>
> And here we see that a user ACL for myself has been added, because I'm
> at the same seat as the CDROM drive.
>
>
> Should I stand up, and log out, the ACL will be removed and I will
> instantly lose access to that drive.  I can't ssh in later, or sit in
> another seat, and get access again.
>   
This sounds like exactly what I am trying to do!

So set you

setfacl /dev/cdrom

at login (I'm thinking via gdm PreSession) and then when you log out it 
automagically goes away?  Or do I have to do setfcl again to remove the acl?

That sounds a lot simpler than consoleKit!   Yippeee!  :-)

--Yan



> Scott
>   
> ------------------------------------------------------------------------
>
> !DSPAM:49773c6430351804284693!