pam_group (Was: ubuntu-xxx ....)

Timo Aaltonen tjaalton at
Thu Mar 31 15:38:20 CST 2005

On Thu, 31 Mar 2005, Matt Zimmerman wrote:

> On Thu, Mar 31, 2005 at 10:16:05PM +0200, Timo Aaltonen wrote:
>> Not if you have >20000 users.
> Surely with that number of users, you have tools to make changes like this
> automatically.

Yes that's true, but we haven't been using LDAP for that long yet, so all 
the benefits aren't there yet.

> What sort of security problem?  If the user should have these privileges
> according to your security policy, they should be granted to them.

Well, like reading(/writing) the cdrom or usb-mounts? Actually, I'm not 
sure what kind of permissions usbfs-mounts on Ubuntu get (can't test it), 
but at least cdrom-mounts are world-readable. What else... cat'ing 
/dev/dsp?-) (ok, class computers have no speakers, but still..)

Of course you can argue why to let the users log in remotely in the first 
place, but let's not ;)

> It seems that way at first, but in fact the semantics are closer to "any
> user who has ever logged in locally has access to these devices".  Pitfalls
> like these are the reason why we don't "magically" grant permissions based
> on dynamic criteria.  If the user should have access to the devices, they
> should be granted, otherwise not.  The capability does not currently exist
> to revoke these permissions from users once they have been granted.

Do you have more info regarding this? The PAM-documentation doesn't 
enlighten me. Even if it is as you describe, the situation is a bit better 
than granting access to all users, no?


More information about the ubuntu-devel mailing list