On Sun, Oct 28, 2012 at 06:08:46PM +0100, Tom Gundersen wrote:
This means that both the user granted permissons by ACL, and the user granted permission by being in the right group will have access to the device. In other words, if your user had access without logind/CK s/he will still have access with.
The problem might be that programs now rely on logind/CK to _take away_ permissions from inactive users to make sure that at most one user has access to the device at any given time.
You (Tom) pointed out a way to disable logind modifying device ACLs recently. It could be a good thing to have that in the online docs for those users (like me) for whom this sort of thing is unwanted. Logind's behaviour seems to be based on two assumptions: 1. A non-local user (not near the system's HW) can't do anything useful with e.g. audio interfaces. 2. A local user (having access to the system's HW) can do whatever evil he wants so there's no point in taking away any permissions. Both can easily be wrong. For example at one of the audio studios I work, the audio processing machines are headless and mounted in a rack in a separate technical room. They are used via SSH logins or by using remote control protocols. But all the audio inputs and outputs of their soundcards are wired to the mixer or the patchbay in the studio, so they are 'local' there - this violates (1). For (2), a local user can do whatever evil only if he has unlimited time and is not supervised. I routinely let clients login to the local machines in the studio (they have to in order to do their work). That doesn't mean they should be able to copy other customer's data when I'm out for a minute to get us a coffee. So they must not be able to mount USB disks etc. I'm pretty sure there are many such cases in other environments. Ciao, -- FA A world of exhaustive, reliable metadata would be an utopia. It's also a pipe-dream, founded on self-delusion, nerd hubris and hysterically inflated market opportunities. (Cory Doctorow)