[Techtalk] Changing ownership of devices
Conor Daly
conor.daly at oceanfree.net
Thu Sep 11 16:11:13 EST 2003
On Thu, Sep 11, 2003 at 02:34:12PM +0100 or so it is rumoured hereabouts,
Maria Blackmore thought:
>
> What if there are multiple people logged in at the console? Who gets the
> ownership then?
First one in...
> > The problem with this (and presumably the reason RedHat don't do it)
> > is that members of this group then have access to devices being used
> > by other members of the group. If we're both authorized scanner users,
> > I can then read whatever you scan in...
>
> At this point, I'd be asking that if what you're scanning is so
> confidential, what are you doing scanning it on a multi-user machine?
I think it's more a matter of device conflicts rather than security (but
the security subsystem is the easiest way to implement it). EG. If I
start a scan and then another user sends a "reset" to the scanner. Or if
I mount a CDRW to read data from it and another user runs
'cdrecord -blank'
> Of course, as a medium ground, you can just ensure that you are the only
> person in the group that owns the scanner, but then no-one else can use it
> either. There's no easy way around this, but I've got to say that I
> really don't like the look of Redhat's solution. It might fix one
> problem, and avoid a possible security issue, but it gives rise to other
> issues too.
I'm not wild about it either... And it spoils the old trick of having an
unsuspecting user's loudspeakers start whispering at them. :-)
Meanwhile Cengizhan's suggestion of modifying /etc/security/console.perms
looks like the trick.
Thanks all!
Conor
--
Conor Daly <conor.daly at oceanfree.net>
Domestic Sysadmin :-)
---------------------
Faenor.cod.ie
4:05pm up 24 days, 22:38, 0 users, load average: 0.08, 0.02, 0.01
Hobbiton.cod.ie
4:02pm up 24 days, 22:37, 1 user, load average: 0.07, 0.11, 0.05
More information about the Techtalk
mailing list