Bug 202132 - pam update breaks dvb permissions
Summary: pam update breaks dvb permissions
Alias: None
Product: Fedora
Classification: Fedora
Component: pam (Show other bugs)
(Show other bugs)
Version: 5
Hardware: All Linux
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2006-08-10 21:56 UTC by Ville Skyttä
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-02-06 15:07:25 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Ville Skyttä 2006-08-10 21:56:54 UTC
After upgrading to pam, the permissions of the DVB device nodes
of my headless VDR-based PVR box are hosed.

The new dvb stuff in /etc/security/console.perms.d/50-default.perms is the
culprit.  First of all, the defaults for dvb devices are off sync with udev
(0660 in udev, 0600 in pam).

But an even worse issue is that it no longer matters what I set in udev's config
for the modes or group (I need 0660, root:video), pam goes and overwrites that
at boot even when nobody has ever logged in.

I can of course configure it in both pam and udev, but that sucks.  Any other ideas?

Comment 1 Tomas Mraz 2006-08-21 12:40:46 UTC
I could change pam to have 0660 to keep in sync with udev however it wouldn't
change the situation much for you because it would be reset to the root group
anyway. But you of course don't have to configure it in both pam and udev - it
should be fine to configure it in pam only.

Comment 2 Ville Skyttä 2006-08-21 16:48:53 UTC
Yep, I figured that doing it in pam is enough afterwards but forgot to note it
here.  <console> 0660 <dvb> 0660 <root> would be an improvement even if it
wouldn't directly help me out in this scenario.  I suppose there are other
things besides dvb that should receive the same sync operation between udev and
pam, /dev/ircomm* is one obvious example.

But I think it would be better to try to get the disconnect between udev and
pam_console fixed For Real(tm) some way.  I don't have good suggestions how to
do that right now, but here's one slightly related suggestion:

Make it possible to leave the user/group alone when pam_console sets ownerships,
ditto some bits of the mode.  For example:

<console> 06** <dvb> 06** root.*
...could leave the things marked with asterisks (group and the two last digits
of the mode) untouched when changing permissions etc.

Comment 3 Tomas Mraz 2006-08-21 16:59:20 UTC
The problem is with the reset permissions and ownership - you cannot leave
things as they are because malicious console user could set group ownership or
mode to different values than they were set by root (udev).

I think that an improvement would be to add appropriate groups for various
devices to a default config of udev and pam_console + /etc/group.

A real solution would be to use ACLs for the device nodes so there could be for
example multiple console owners and so on.

Comment 4 Ville Skyttä 2006-08-21 17:24:45 UTC
Hmm, I have a strange deja vu feeling that someone (maybe you?) has pointed out
that problem to me before.  Thanks for the reminder.  However, that problem
already kind of exists: a malicious console user can change groups or modes at
will while logged in anyway, no?

In case additional groups are under consideration, let me pimp adding "video":
it is a standard/shipped one in at least SuSE, Mandriva, Debian, and Ubuntu.  In
addition to those, udev rules files shipped with upstream udev suggest that it
is also available in Gentoo, Frugalware and Slackware.  And in addition to udev,
I know some other projects whose upstream documentation assumes that it is
available out of the box.

Comment 5 Tomas Mraz 2006-08-21 18:43:01 UTC
He can change them, but he cannot elevate his privileges this way only make it
inaccessible to other people. But if the permissions and group were not reset
after he logs out he could get access to the devices even when he is no longer
the console user.

Comment 6 Ville Skyttä 2006-08-21 19:00:00 UTC
Ok.  By the way, I'll probably need to do the video group config in both udev
and console.perms after all, this scenario is in a package (VDR, under review
for Extras in #190343) which needs access to DVB devices even if the local admin
chooses to disable access to them for console users.

Comment 7 Tomas Mraz 2007-02-06 15:07:25 UTC
Wontfix for now - we would have to obtain a new system group for video devices
for this to work. And the device management will be substantially changed in
near future with the PolicyKit etc.

Note You need to log in before you can comment on or make changes to this bug.