[ConsoleKit] Permissions with consolekit and gdm

[Kay Sievers]

On Fri, Jul 2, 2010 at 09:44, Christoph Pleger
<Christoph.Pleger at cs.tu-dortmund.de> wrote:
>> It's probably udev which re-sets the permissions to the configured
>> setting when something changes and a device event is handled.
>
> With my configuration, pam_devperm.so does not change the permissions
> of device nodes that are acted upon by udev, except during the boot
> process. On my machine, pam_devperm.so only changes ownerships of
> device nodes that are always present after booting has finished, for
> example /dev/dsp. After booting, no udev event happens for this
> device, so I do not believe that udev has anything to do with my
> problem.
>
> Additionally, like I wrote, the problem only occurs if consolekit
> is installed and gdm is used as display manager. It does not occur
> if consolekit is not installed and it does not occur if consolekit
> is installed and for example kdm is used as display manager.

Kernel device events can happen any time, the kernel is free to send
'change' events whenever needed, or userspace tools re-apply udev
configuration by synthesizing events.

It is not safe to ever change permissions of any udev managed device
node, like this PAM module is doing. What exactly is the reason here
now, does not really matter. It will only take you to the next case,
which will very likely happen, even without GDM/ConsoleKit/... You
just can't mangle /dev in this un-managed way these days. It will just
fail in all sorts of setups. You need to use ACLs or plug into udev,
there are no other options.

Kay