On Tue, Feb 16, 2010 at 10:17 PM, Lennart Poettering <lennart at poettering.net> wrote: > On Tue, 16.02.10 20:48, Markus Rechberger (mrechberger at gmail.com) wrote: > >> Lennard, don't spread nonsense around, if you have raw access to a camera there >> might be the possibility to update the firmware and damage the device. >> If you would have little experience with hardware you should know about that. >> Your ACL/libusb restriction won't make this situation better it's >> still a security risk. >> Although just drop libusb as an example. >> >> Markus > > Marcus, then you better run quickly and complain to the udev folks, > because they have been shipping udev with libusb devices accessible to > console users sine about forever. Just plug in a USB scanner on a > reasonably new Linux machine and run "ls -al /dev/bus/usb/*/*". Then, > look out for the "+" in the permissions column and run getfacl on that > file, and you'll see that the logged in user may access the device > node. > Sure but this doesn't mean that it's right and is a security issue. It's like making CPU levels obsolete just because someone made the mistakes to run everything at Kernellevel. Almost all available USB TV Tuners use to run with a firmware nowadays, even by loading the wrong firmware into a chip a chip can blow up. If every user has the possibility to access devices at a raw level (not at a defined API level) ...everyone can do that. > But all of this has nothing to do with PA. Indeed, but this ACL example came up by you guys, so you should better learn that this is not always the correct way. With your example this even turns out to be a security risk. Markus