After upgrading to pam 0.99.5.0-5.fc5, the permissions of the DVB device nodes of my headless VDR-based PVR box are hosed. The new dvb stuff in /etc/security/console.perms.d/50-default.perms is the culprit. First of all, the defaults for dvb devices are off sync with udev (0660 in udev, 0600 in pam). But an even worse issue is that it no longer matters what I set in udev's config for the modes or group (I need 0660, root:video), pam goes and overwrites that at boot even when nobody has ever logged in. I can of course configure it in both pam and udev, but that sucks. Any other ideas?
I could change pam to have 0660 to keep in sync with udev however it wouldn't change the situation much for you because it would be reset to the root group anyway. But you of course don't have to configure it in both pam and udev - it should be fine to configure it in pam only.
Yep, I figured that doing it in pam is enough afterwards but forgot to note it here. <console> 0660 <dvb> 0660 <root> would be an improvement even if it wouldn't directly help me out in this scenario. I suppose there are other things besides dvb that should receive the same sync operation between udev and pam, /dev/ircomm* is one obvious example. But I think it would be better to try to get the disconnect between udev and pam_console fixed For Real(tm) some way. I don't have good suggestions how to do that right now, but here's one slightly related suggestion: Make it possible to leave the user/group alone when pam_console sets ownerships, ditto some bits of the mode. For example: <console> 06** <dvb> 06** root.* ...could leave the things marked with asterisks (group and the two last digits of the mode) untouched when changing permissions etc.
The problem is with the reset permissions and ownership - you cannot leave things as they are because malicious console user could set group ownership or mode to different values than they were set by root (udev). I think that an improvement would be to add appropriate groups for various devices to a default config of udev and pam_console + /etc/group. A real solution would be to use ACLs for the device nodes so there could be for example multiple console owners and so on.
Hmm, I have a strange deja vu feeling that someone (maybe you?) has pointed out that problem to me before. Thanks for the reminder. However, that problem already kind of exists: a malicious console user can change groups or modes at will while logged in anyway, no? In case additional groups are under consideration, let me pimp adding "video": it is a standard/shipped one in at least SuSE, Mandriva, Debian, and Ubuntu. In addition to those, udev rules files shipped with upstream udev suggest that it is also available in Gentoo, Frugalware and Slackware. And in addition to udev, I know some other projects whose upstream documentation assumes that it is available out of the box.
He can change them, but he cannot elevate his privileges this way only make it inaccessible to other people. But if the permissions and group were not reset after he logs out he could get access to the devices even when he is no longer the console user.
Ok. By the way, I'll probably need to do the video group config in both udev and console.perms after all, this scenario is in a package (VDR, under review for Extras in #190343) which needs access to DVB devices even if the local admin chooses to disable access to them for console users.
Wontfix for now - we would have to obtain a new system group for video devices for this to work. And the device management will be substantially changed in near future with the PolicyKit etc.