Ticket #92 (closed defect: fixed)
Console user group membership/device access
| Reported by: | quentin | Owned by: | |
|---|---|---|---|
| Priority: | low | Milestone: | |
| Component: | -- | Keywords: | |
| Cc: | Fixed in version: | ||
| Upstream bug: |
Description
Various devices in Debian (and presumably Ubuntu) have their access
controlled by local groups; we should use pam_groups to put the console
user into the appropriate groups so that they can control hardware on the
system. Some groups that spring to mind on Debian:
- video (access to V4L devices and OpenGL direct rendering)
- dialout (access to serial ports)
- audio (access to audio devices)
- cdrom (raw access to CD devices)
Change History
comment:2 Changed 16 years ago by quentin
I suspect that adding "admin" in PAM will not work, as I am pretty sure that sudo will manually check the user's group membership before allowing access.
I don't think we necessarily want to allow cluster users to sudo without a password, as then an exploited user account would equal root access even for exploits that don't understand the MIT environment.
Also, I believe the canonical name of the PAM module is pam_group, not pam_groups.
I would like to see SIPB's Debathena repository offer everything necessary to build a private Athena workstation, and I think this might be something private users would want. I agree that it shouldn't be the default, though.
We probably also want the "fuse" group for 6.824 and general FUSE fun, and "floppy" in case there are devices controlled by that group.
I suppose adding "admin" here will make people automatically sudoers with basically no effort. This is probably something we want for the clusters, but almost certainly not by default in the SIPB Debathena packages.