pam_group (Was: ubuntu-xxx ....)
Timo Aaltonen
tjaalton at cc.hut.fi
Fri Apr 1 01:09:20 CST 2005
On Fri, 1 Apr 2005, Scott James Remnant wrote:
> On Thu, 2005-03-31 at 23:38 +0200, Timo Aaltonen wrote:
>> On Thu, 31 Mar 2005, Matt Zimmerman wrote:
>>
>>> It seems that way at first, but in fact the semantics are closer to "any
>>> user who has ever logged in locally has access to these devices". Pitfalls
>>> like these are the reason why we don't "magically" grant permissions based
>>> on dynamic criteria. If the user should have access to the devices, they
>>> should be granted, otherwise not. The capability does not currently exist
>>> to revoke these permissions from users once they have been granted.
If I undestand this correctly, it mean that if a user has logged in
locally and got access to those groups, it has the same access when logged
in later (via ssh for example)? I've tested this and it is not the case;
the user does not get in those groups, even if he/she is logged in locally
at the same time.
>> Do you have more info regarding this? The PAM-documentation doesn't
>> enlighten me. Even if it is as you describe, the situation is a bit better
>> than granting access to all users, no?
>>
> Log in locally:
>
> cp /bin/sh $HOME
> chgrp plugdev $HOME/sh
> chmod g+s $HOME/sh
>
> You now have a setgid plugdev shell that you can use anytime you want
> permissions of that group.
true, if your home is on the local disk, or if the admins have gone
bonkers. The documentation says that every file system where the user has
write access should be mounted with 'nosuid' -option, which is usually (I
think) the case at least on NFS-mounts. /tmp and such is another story,
though.
t
More information about the ubuntu-devel
mailing list