consolekit and user groups

Scott James Remnant scott at canonical.com
Wed Jan 21 07:17:08 PST 2009


On Wed, 2009-01-21 at 07:07 -0800, Yan Seiner wrote:

> My concept has been to assign all those resources to a group: seatX.  
> When user userX logs in, he is made a member of group seatX, and has 
> access to those resources.
> 
You do not want to do this.

Group access is forever; once the user is in seat1, they can be
effectively assumed to be forever on seat1.  If they should subsequently
sit in seat2, they're now basically in seat1 and seat2 simultaneously.

The preferred method is that ACLs are used on the device nodes.  HAL,
using PK/CK, will add ACLs for the devices based on who is at the seat.


For example, here's my cdrom device:

brw-rw----+ 1 root cdrom 11, 1 2009-01-17 15:18 /dev/scd1

The "cdrom" group is for _system_software_ (ie. daemons) that routinely
access the device, users should NOT be placed in the group.

Note the "+" on the end of the permissions, that means there are ACLs
that apply.

quest scott% getfacl /dev/scd1
getfacl: Removing leading '/' from absolute path names
# file: dev/scd1
# owner: root
# group: cdrom
user::rw-
user:scott:rw-
group::rw-
mask::rw-
other::---

And here we see that a user ACL for myself has been added, because I'm
at the same seat as the CDROM drive.


Should I stand up, and log out, the ACL will be removed and I will
instantly lose access to that drive.  I can't ssh in later, or sit in
another seat, and get access again.

Scott
-- 
Scott James Remnant
scott at canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://lists.freedesktop.org/archives/hal/attachments/20090121/aa7e607c/attachment.pgp 


More information about the hal mailing list