pam_console - no way to specify a gid?
Sam Varshavchik
mrsam at courier-mta.com
Mon Apr 24 00:29:05 UTC 2006
After looking of pam_console's documentation, and peeking at the source
code, it looks like there's no way to set a device's groupid to anything
other than the console login account's primary groupid. The only time a
device's groupid gets set is when all permissions get reset, after a logout.
I wonder if this is something that simply never got implemented, or if
there's some specific reason this should not be done. I can't think of any,
myself.
I'm packaging up MythTV. After pondering for a while how I was going to do
that, I chose to run all myth stuff under a reserved system account. But
now, when I log in from the console, pam_console gives me the ownership of
all <v4l> and <sound>, mode 0600. Since the mythtv stuff is always running
in the background, under its own separate userid, and it needs access to
<v4l> and <sound> devices, this obviously becomes a problem.
My only option, at the moment, is to install a file in
/etc/security/console.perms.d that overrides the <v4l> and <sound> entries,
and makes all of these devices mode 0666. I don't like this, but I can't
think of anything better. I think it's better to set these device files's
userid to the console login account's userid, and a group id to the mythtv
groupid, with mode 0660, but, right now, this is just not possible.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pam-list/attachments/20060423/0e998bf7/attachment.sig>
More information about the Pam-list
mailing list