pam_group (Was: ubuntu-xxx ....)
tjaalton at cc.hut.fi
Thu Mar 31 15:38:20 CST 2005
On Thu, 31 Mar 2005, Matt Zimmerman wrote:
> On Thu, Mar 31, 2005 at 10:16:05PM +0200, Timo Aaltonen wrote:
>> Not if you have >20000 users.
> Surely with that number of users, you have tools to make changes like this
Yes that's true, but we haven't been using LDAP for that long yet, so all
the benefits aren't there yet.
> What sort of security problem? If the user should have these privileges
> according to your security policy, they should be granted to them.
Well, like reading(/writing) the cdrom or usb-mounts? Actually, I'm not
sure what kind of permissions usbfs-mounts on Ubuntu get (can't test it),
but at least cdrom-mounts are world-readable. What else... cat'ing
/dev/dsp?-) (ok, class computers have no speakers, but still..)
Of course you can argue why to let the users log in remotely in the first
place, but let's not ;)
> It seems that way at first, but in fact the semantics are closer to "any
> user who has ever logged in locally has access to these devices". Pitfalls
> like these are the reason why we don't "magically" grant permissions based
> on dynamic criteria. If the user should have access to the devices, they
> should be granted, otherwise not. The capability does not currently exist
> to revoke these permissions from users once they have been granted.
Do you have more info regarding this? The PAM-documentation doesn't
enlighten me. Even if it is as you describe, the situation is a bit better
than granting access to all users, no?
More information about the ubuntu-devel