On Tue, Jan 10, 2006 at 12:07:58AM +0000, Matthew Garrett wrote:
> On Tue, Jan 10, 2006 at 12:59:46AM +0100, Andreas Gruenbacher wrote:
> > On Monday 09 January 2006 00:34, Matthew Garrett wrote:
> > > Hmm. Do you have any infrastructure for revoking open file descriptors
> > > when a user logs out?
> >
> > Open file descriptors have nothing to do with it. The device permissions are
> > set by different pam modules on different distributions (pam_console,
> > pam_resmgr).
>
> Right. But what stops a user writing an application that opens a device,
> hangs around after the user logs out and then provides access to the
> user when logged in remotely?
>
> Handwavy problem scenario - user A logs in, is given access to the
> soundcard. Starts running a program that when given appropriate signals
> will record from the system microphone. Logs out. Waits for user B, who
> he suspects is having an affair with his wife, and then monitors any
> conversations that user B has.
That can be solved in the user session handling and not in the kernel.
> ACLs on their own don't seem to solve
> this any more than just statically assigning group membership to users.
Sure, they do. Unlike silly group memberships, the system can provide
ressources to "local" users only.
Kay
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
