Managing ACL's on device nodes

David Zeuthen david at fubar.dk
Mon Feb 19 09:51:47 PST 2007 

On Tue, 2007-02-06 at 22:09 -0500, David Zeuthen wrote:
> Hey,
> 
> Now that we've got ConsoleKit integrated into HAL (optionally of
> course), I thought it would be a good time to teach HAL about managing
> permissions on device files. 

FWIW, I've now done this modulo a few pieces I need to document in the
spec. To use it you need to configure the build with 

 --enable-console-kit
 --enable-acl-management

This is now in Fedora's development branch dubbed Rawhide.

>   - info.access.seats (strlist)
>       This is a list of seats to which a device belong to; if it's empty
>       it means that the device is available for all seats (this will be
>       the default)

This is not done yet as CK don't yet support multiple seats.

>   - info.access.grant_local_session (boolean)
>       Access will be granted to all users logged into a seat regardless
>       of whether the session is active or not
> 
>   - info.access.grant_local_active_session (boolean)
>       Access will be gratned to all users logged into a seat but only
>       when the session is active
> 
>   - info.access.grant_user (strlist)
>       Strlist of users to always grant access to
> 
>   - info.access.grant_group (strlist)
>       Strlist of groups to always grant access to

All this is in and working though it's called access_control.* instead
of info.access.*. The default configuration is here

 http://gitweb.freedesktop.org/?p=hal.git;a=blob;h=41b9ebde9242ed2051d88e6094b881ce7c7f17f4;hb=a7b41e73c214fa95a8ca2ab1805de5558251f599;f=fdi/policy/10osvendor/20-acl-management.fdi

and since at least Linux don't have revoke() we grant devices to local
sessions non-withstanding they're active or not. It's a one-line change
to change this (and it works - it actually looks cool to see the ACL's
change on a device node depending on whether a session is active or
not!) but we need some ConsoleKit hooks before that can be done in a
reliable fashion. And it doesn't make much sense either before revoke()
is reality.

Default configuration need a bit of fine tuning to replace e.g. Red
Hat's pam-console - for example we probably needs to care about managing
ACL's on things like /dev/dri/* and also scanners. Which means we need
to teach HAL about these two things but we've already talked about the
latter and have SANE provide fdi files just like gphoto2. Any other
interesting devices I've missed? I note that SUSE gives ACL's on SCSI
generic devices (e.g. /dev/sg*) and I wonder if that's necessary.

Thanks.

       David

More information about the hal mailing list