[Techtalk] Re: Changing ownership of devices

kaptan kaptan at kablonet.com.tr
Thu Sep 11 17:05:17 EST 2003 

Hi all, 

When a user logs into a machine under Red Hat Linux, the pam_console.so 
module is called by login or the graphical login programs, gdm and kdm. If 
this user is the first user to log in at the physical console — called the 
console user — the module grants the user ownership of a variety of devices 
normally owned by root. The console user owns these devices until the last 
local session for that user ends. Once the user has logged out, ownership of 
the devices reverts back to the root user. 

The devices affected include, but are not limited to, sound cards, diskette 
drives, and CD-ROM drives. 

This allows a local user to manipulate these devices without attaining root, 
thus simplifying common tasks for the console user. 

 ->By modifying the file /etc/security/console.perms, the administrator can 
edit the list of devices controlled by pam_console.so. 

Source: RH9 Ref. Guide 14.6.1 

You may customize / overrule the default settings. 

Best regards,
Cengizhan 

Maria Blackmore writes: 

> On Wed, 10 Sep 2003 jas at spamcop.net wrote:
>> > This seems very bizarre to me, the device should never be owned by anyone
>> > other than root. 
>> 
>> RedHat takes a slightly different approach: I/O peripherals like that should be
>> owned by whoever is at the console. If user 'maria' logs in at the console
>> (including X) then maria gets ownership of these devices; when she logs out,
>> ownership is returned to root.
> 
> err .. that seems dumb 
> 
> What if there are multiple people logged in at the console?  Who gets the
> ownership then? 
> 
>> The problem with this (and presumably the reason RedHat don't do it)
>> is that members of this group then have access to devices being used
>> by other members of the group. If we're both authorized scanner users,
>> I can then read whatever you scan in...
> 
> At this point, I'd be asking that if what you're scanning is so
> confidential, what are you doing scanning it on a multi-user machine? 
> 
> Of course, as a medium ground, you can just ensure that you are the only
> person in the group that owns the scanner, but then no-one else can use it
> either.  There's no easy way around this, but I've got to say that I
> really don't like the look of Redhat's solution.  It might fix one
> problem, and avoid a possible security issue, but it gives rise to other
> issues too. 
> 
> Maria 
> 
> _______________________________________________
> Techtalk mailing list
> Techtalk at linuxchix.org
> http://mailman.linuxchix.org/mailman/listinfo/techtalk
 


Saygilarimla,
Cengizhan Kaptan

More information about the Techtalk mailing list