Managing ACL's on device nodes
Bill Nottingham
notting at redhat.com
Tue Feb 6 20:10:36 PST 2007
David Zeuthen (david at fubar.dk) said:
> Thanks for considering. I'm probably going to start hacking on this
> tomorrow morning EST but I thought it would be good to ask for opinions
> etc. before.
So, some questions/comments - take them with a grain of salt.
Since it's granting device access, this puts hald in the security path -
it's something that can't fall over, or devices won't get reset on logout.
Obviously, we want it to be bulletproof anyway, but it's worth mentioning.
What's the behavior if ConsoleKit goes AWOL, for whatever reason, or if
GDM/the X session crashes?
How are seats named/described (re: info.access.seats)? (Yeah, I should
probably just read the ConsoleKit docs.)
It looks like we're going to need to extend this if we want it to work on
the virtual console.
We don't (unless I'm mistaken) have revoke(); without this, ACLs aren't
bullletproof (but neither is chown). Of course, once we get revoke(),
apps will probably break. :)
It's moving the changing of device ownership from a (relatively)
synchronous process (pam_console) to an asynchronous one; not that that's
necessarily *bad*, but it's different.
I suppose what it boils down to is that this gives you the ability to
only have devices with the active session, or to tie devices to a particular
seat - the other models you propose could be done with pam_console
or similar.
Bill
More information about the hal
mailing list