pam_console

Ville Skyttä ville.skytta at iki.fi
Sun Jan 18 22:22:42 UTC 2009 

On Friday 16 January 2009, Bill Nottingham wrote:
> I think it's time to retire pam_console from the default configuration.
[...]
> em8300:	 /etc/security/console.perms.d/60-em8300.perms	(heffer)
> vdr:	 /etc/security/console.perms.d/95-vdr.perms	(scop)
[...]
> I'd be willing to chip in to get these fixed, it shouldn't be that hard.

Thanks in advance.  I'm pretty clueless wrt hal/consolekit but do know how vdr 
(which I maintain and use all the time) and em8300 (which I used to maintain 
and do still use all the time with vdr) should work.  So here goes an 
explanation - if you can help out with these, maybe it'll serve as a good 
education session for myself and others here:

em8300 is a hardware MPEG decoder.  Locally logged in users should be able to 
use it - I guess the same use cases as for DVB cards apply to it.

vdr is a daemon providing PVR functionality.  It is run as a service, with a 
dedicated unprivileged system user account, needs to be able to use at least 
DVB devices without interference even if people log in locally to the box and 
log out, and also after boot without anyone logging in.  Depending on the 
configuration and available plugins, it should also have similar access to 
the em8300 devices, serial ports, input/event devices and optical drives, 
possibly other devices as well.  Ditto the other way around - the 
configuration shouldn't prevent locally logged in users from using these 
devices (obviously in case they're not in use by vdr but I suppose that's off 
topic).

Both em8300 and vdr currently use the "video" group, udev rules and a 
console.perms.d snippet to get the desired behavior.  IIRC the only purpose 
of the console.perms.d snippet in both was to prevent pam_console from 
fiddling with the device permissions so that vdr could no longer use them 
when people logged in/out and/or to prevent pam_console from overriding the 
permissions set in udev rules by duplicating the rules in the console.perms.d 
snippet.  (Oh, BTW, looks like the vdr one still contains some event/input 
references that should have been moved to the vdr-remote package which is a 
plugin through which vdr may use those devices.)

So... where do we start?

More information about the fedora-devel-list mailing list