Ticket #92 (closed defect: fixed)

Opened 13 years ago

Last modified 12 years ago

Console user group membership/device access

Reported by: quentin Owned by:
Priority: low Milestone:
Component: -- Keywords:
Cc: Fixed in version:
Upstream bug:

Description

Various devices in Debian (and presumably Ubuntu) have their access
controlled by local groups; we should use pam_groups to put the console
user into the appropriate groups so that they can control hardware on the
system. Some groups that spring to mind on Debian:

  • video (access to V4L devices and OpenGL direct rendering)
  • dialout (access to serial ports)
  • audio (access to audio devices)
  • cdrom (raw access to CD devices)

Change History

comment:1 Changed 13 years ago by geofft

We probably also want the "fuse" group for 6.824 and general FUSE fun, and "floppy" in case there are devices controlled by that group.

I suppose adding "admin" here will make people automatically sudoers with basically no effort. This is probably something we want for the clusters, but almost certainly not by default in the SIPB Debathena packages.

comment:2 Changed 13 years ago by quentin

I suspect that adding "admin" in PAM will not work, as I am pretty sure that sudo will manually check the user's group membership before allowing access.

I don't think we necessarily want to allow cluster users to sudo without a password, as then an exploited user account would equal root access even for exploits that don't understand the MIT environment.

Also, I believe the canonical name of the PAM module is pam_group, not pam_groups.

I would like to see SIPB's Debathena repository offer everything necessary to build a private Athena workstation, and I think this might be something private users would want. I agree that it shouldn't be the default, though.

comment:3 Changed 13 years ago by broder

  • Status changed from new to closed
  • Resolution set to fixed

Fixed in r23287

(Also gave cluster users the ability to sudo within their login chroots in r23288)

comment:4 Changed 12 years ago by quentin

  • Status changed from closed to reopened
  • Component set to --
  • Resolution fixed deleted

It looks like we missed one group - "lp" controls access to local parallel ports, and is the equivalent of dialout for serial ports.

comment:5 Changed 12 years ago by jdreed

  • Status changed from reopened to proposed

comment:6 Changed 12 years ago by jdreed

Fixed in r24492

comment:7 Changed 12 years ago by jdreed

  • Status changed from proposed to closed
  • Resolution set to fixed

Moved to production.

Note: See TracTickets for help on using tickets.