Re: [arch-general] Standard group for "hardware user"?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Hello,

im not sure how useful this advice is, but have you considered to ask on the archbsd mainlinglist? I dont know if they're using udev, mdev or another thing, but may they have some tips for that.

regards,



Am 2015-01-07 10:09, schrieb Tobias Hunger:
Hi Neale,

The packages in arch are built with the systemd security model in
mind. You are changing that pretty fundamental assumption by ripping
out systemd, logind & co. and that will have an effect on the overall
security of your system. At least give the packages a chance to
respond to that changed assumption by rebuilding them, telling them
that there won't be any systemd. That way they can adapt their
configuration and permissions during install (not that I think many
will;-). Ideally you would also go through all PKGBUILDs with a fine
toothed comb to find settings that need to be adapted from the
arch-defaults before rebuilding.

Of course you also need to be aware of the security issues that were
fixed by logind. This is mostly (remote) users being able to snoop on
local users by recording keystrokes or even audio/video of them at the
machine. People argue that this is not much of an issue on a
single-user machine.

You also will need to run xorg as root, which is a huge piece of code
known to be written before security was a concern to developers.
Logind allows to run that as a normal user (provided other conditions
are met as well).

TL;DR: Replacing systemd in arch is nothing that should be attempted
in an idle afternoon.

Best Regards,
Tobias


On Tue, Jan 6, 2015 at 12:42 AM, Neale Pickett <neale@xxxxxxxxxx> wrote:
I'm not going to remove any groups, but I want to make sure I'm not
configuring mdev to set ownership to a group that may not exist in the
future. I will probably create a new group called "hardware" that will
allow users to access audio, video, serial, and USB storage devices, and use Posix ACLs to set individual permissions for daemons like mpd. Things
that are packaged now should continue to work (or not) as normal with
Arch's default filesystem groups if they're using my mdev/runit setup.

I do have systemd installed. Too many things depend on it for me to remove
it. If I could remove or recompile X11, tcpdump (libusb), nfs-utils
(device-mapper), and procps-ng, I think I might be able to remove the
systemd package. But I have enough work already, I don't need to go
recompiling stuff just to get rid a single dependency! :)

On Mon Jan 05 2015 at 3:47:37 PM Leonid Isaev <lisaev@xxxxxxxxxxxx> wrote:

On Mon, Jan 05, 2015 at 09:59:51PM +0000, Neale Pickett wrote:
> This is very helpful. Thank you!

If you go with your own group list, check configs of your daemons to see
which
groups they expect. Some (e.g. dnsmasq) will call useradd and groupadd in
their
.install files. But syslog-ng, for example, by default creates log files
640
root:log...

Also, I just wonder, do you have systemd installed at all?

Cheers,
--
Leonid Isaev
GPG fingerprints: DA92 034D B4A8 EC51 7EA6  20DF 9291 EE8A 043C B8C4
                  C0DF 20D0 C075 C3F1 E1BE  775A A7AE F6CB 164B 5A6D



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux