[systemd-devel] logind: support of shared devices
Lennart Poettering
lennart at poettering.net
Wed Jan 28 18:35:53 PST 2015
On Wed, 07.01.15 22:45, Oleg Samarin (osamarin68 at gmail.com) wrote:
> > > After adding the simple udev rule:
> > >
> > > ----------------------------------------------
> > > KERNEL=="seq", SUBSYSTEM=="sound", TAG+="shared"
> > > ----------------------------------------------
> > >
> > > /dev/snd/seq becomes accessible from all seats.
> > >
> > > Could you resolve this patch upstream or propose another way of granting
> > > access to /dev/snd/seq on activating sessions?
> >
> > Why not remove the "uaccess" TAG from the device and set your own
> > permissions? Like:
> >
> > TAG-="uaccess", MODE=whatever, GROUP=something
> >
> > This way, logind will never touch the device and your statically set
> > access-rules will be applied. If you now set the group to your
> > user-group, only your user will have access to the device, regardless
> > of the seat it's on.
>
> 1. "uaccess" tag is added by another udev rule, and I do not know, what
> will happen if there are two rules in contradiction
> 2. By default /dev/seq/snd belongs to the "audio" group. Changing it may
> be unsafe fore some applcations.
> 3. Static access rules do not regard on whether the session is active or
> not. I want that the access would be granted only to users that have
> active sessions.
Hmm, I am not sure if we should support shared device access for
things like the sequencer. I mean, is thta device even capable of
being shared, and wouldn't two users which have access at the same
time step on each other's toes all the time, and could get access to
stuff they shouldn't be getting?
"uaccess" is really about trying to make access to harware (slightly,
but well) more secure than with static groups. However, I am not sure
that parallel access to the same device by two users would really be
more secure?
And if this isn't any more secure anyway, maybe it would be OK to just
add your user to the "audio" group and get unrestricted access to the
device? The group exists precisely for cases like this: as a way how
the admin can grant certain users access to a device without that
being bound to any session magic...
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list