Users and Groups

Mikkel L. Ellertson mikkel at infinity-ltd.com
Sat Dec 8 00:34:11 UTC 2007 

Les Mikesell wrote:
> Mikkel L. Ellertson wrote:
> 
>>> If you log in or su to root, the black magic permission changing where
>>> the system guesses that a user touching the keyboard should own nearby
>>> devices doesn't matter anyway.
>>>
>> What guessing? Why should it not matter who is logged into the local
>> console? Or are you arguing that on a normal desktop system, a
>> remote user should have access to things like sound, and the
>> built-in video?
> 
> I'm arguing that whether you have access to those devices should depend
> on who you are, not where you are, just like every other unix operation
> checks pre-established settings for user and group values against
> pre-established settings on every file and device when opening them.  It
> shouldn't be determined by whether you are able to touch a certain
> keyboard.
> 
It adds one more level of control. Instead of a user being able to
access a device from anywhere, you can limit access to when they are
actually at the machine. Just like you can do for running some
programs. If you only run servers, then it is probably not useful to
you. For desktop users, it can be very useful. It can also be a
security measure. For example, You may want to set it up so the user
that is syncing their PDA is the only one that can access it.
Because they have to be at the local console to use the sync cradle,
you limit the access to the local user. (Network syncing a PDA is
outside the scope of this - most users are not going to be doing
this.) User A can sync his PDA when he is using the machine locally,
but user B can not access it remotely. But user B can sync his PDA
when he is logged in locally at the same machine. Kind of like why
each user has their own user name and password, instead of everyone
sharing one.

There are a lot of resources that were not available in the original
UNIX systems, or were not usable by a normal user, that users
commonly use today. Because of this, Linux handles some resources in
ways that user/group permission are nto the best choice. Arguments
that boil down to "it has always been done that way" are not going
to cut it.

Mikkel
-- 

  Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20071207/721314cc/attachment-0001.sig>

More information about the fedora-list mailing list