[systemd-devel] How to give users permissions to /dev/kfd
Lennart Poettering
lennart at poettering.net
Tue Oct 24 08:19:02 UTC 2017
On Mo, 16.10.17 12:32, Simon McVittie (smcv at collabora.com) wrote:
> On Sat, 14 Oct 2017 at 17:50:33 +0300, Mantas Mikulėnas wrote:
> > No, it's only available for local sessions (ones which systemd-logind considers
> > "local" + "active"). I think the idea is that console users automatically get
> > more privileges in general.
>
> Specifically, the idea is that console users should have access to
> devices that are the machine representation of things they can physically
> access anyway. The classic example is audio. If Alice is sitting at a
> desktop/laptop computer and Bob is ssh'd in to the same computer, it's
> fine for Alice to be able to record the same audio that she can hear
> already; but it is usually not OK for Bob to be able to record audio
> because that would let him spy on Alice.
>
> Similarly, logind defaults to allowing local active users to shut down
> the machine (because they are likely to be in a position to pull the
> plug or remove the battery anyway), but not remote users (to prevent
> them from causing denial-of-service for local users or other remote users).
>
> > For SSH-only usage, use traditional groups (e.g. add yourself to the "video"
> > group). To assign group ownership to /dev/kfd, use GROUP="foo" in udev rules.
>
> And, yes, the way to bypass the "only local users" bit is to add your uid
> to an appropriate group, which is a way of saying: this user has special
> privileges, and can access something (in your case video) even when not
> physically present.
For the sake of the archives this discussion more or less moved to:
https://github.com/systemd/systemd/pull/7112
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list