pam_group (Was: ubuntu-xxx ....)
Timo Aaltonen
tjaalton at cc.hut.fi
Thu Mar 31 15:38:20 CST 2005
On Thu, 31 Mar 2005, Matt Zimmerman wrote:
> On Thu, Mar 31, 2005 at 10:16:05PM +0200, Timo Aaltonen wrote:
>
>> Not if you have >20000 users.
>
> Surely with that number of users, you have tools to make changes like this
> automatically.
Yes that's true, but we haven't been using LDAP for that long yet, so all
the benefits aren't there yet.
> What sort of security problem? If the user should have these privileges
> according to your security policy, they should be granted to them.
Well, like reading(/writing) the cdrom or usb-mounts? Actually, I'm not
sure what kind of permissions usbfs-mounts on Ubuntu get (can't test it),
but at least cdrom-mounts are world-readable. What else... cat'ing
/dev/dsp?-) (ok, class computers have no speakers, but still..)
Of course you can argue why to let the users log in remotely in the first
place, but let's not ;)
> It seems that way at first, but in fact the semantics are closer to "any
> user who has ever logged in locally has access to these devices". Pitfalls
> like these are the reason why we don't "magically" grant permissions based
> on dynamic criteria. If the user should have access to the devices, they
> should be granted, otherwise not. The capability does not currently exist
> to revoke these permissions from users once they have been granted.
Do you have more info regarding this? The PAM-documentation doesn't
enlighten me. Even if it is as you describe, the situation is a bit better
than granting access to all users, no?
t
More information about the ubuntu-devel
mailing list