[arch-general] Standard group for "hardware user"?

mustermann, max bluemorpho at mykolab.com
Wed Jan 7 12:58:01 UTC 2015


Hello,

im not sure how useful this advice is, but have you considered to ask on 
the archbsd mainlinglist? I dont know if they're using udev, mdev or 
another thing, but may they have some tips for that.

regards,



Am 2015-01-07 10:09, schrieb Tobias Hunger:
> Hi Neale,
> 
> The packages in arch are built with the systemd security model in
> mind. You are changing that pretty fundamental assumption by ripping
> out systemd, logind & co. and that will have an effect on the overall
> security of your system. At least give the packages a chance to
> respond to that changed assumption by rebuilding them, telling them
> that there won't be any systemd. That way they can adapt their
> configuration and permissions during install (not that I think many
> will;-). Ideally you would also go through all PKGBUILDs with a fine
> toothed comb to find settings that need to be adapted from the
> arch-defaults before rebuilding.
> 
> Of course you also need to be aware of the security issues that were
> fixed by logind. This is mostly (remote) users being able to snoop on
> local users by recording keystrokes or even audio/video of them at the
> machine. People argue that this is not much of an issue on a
> single-user machine.
> 
> You also will need to run xorg as root, which is a huge piece of code
> known to be written before security was a concern to developers.
> Logind allows to run that as a normal user (provided other conditions
> are met as well).
> 
> TL;DR: Replacing systemd in arch is nothing that should be attempted
> in an idle afternoon.
> 
> Best Regards,
> Tobias


> On Tue, Jan 6, 2015 at 12:42 AM, Neale Pickett <neale at woozle.org> 
> wrote:
>> I'm not going to remove any groups, but I want to make sure I'm not
>> configuring mdev to set ownership to a group that may not exist in the
>> future. I will probably create a new group called "hardware" that will
>> allow users to access audio, video, serial, and USB storage devices, 
>> and
>> use Posix ACLs to set individual permissions for daemons like mpd. 
>> Things
>> that are packaged now should continue to work (or not) as normal with
>> Arch's default filesystem groups if they're using my mdev/runit setup.
>> 
>> I do have systemd installed. Too many things depend on it for me to 
>> remove
>> it. If I could remove or recompile X11, tcpdump (libusb), nfs-utils
>> (device-mapper), and procps-ng, I think I might be able to remove the
>> systemd package. But I have enough work already, I don't need to go
>> recompiling stuff just to get rid a single dependency! :)
>> 
>> On Mon Jan 05 2015 at 3:47:37 PM Leonid Isaev <lisaev at umail.iu.edu> 
>> wrote:
>> 
>>> On Mon, Jan 05, 2015 at 09:59:51PM +0000, Neale Pickett wrote:
>>> > This is very helpful. Thank you!
>>> 
>>> If you go with your own group list, check configs of your daemons to 
>>> see
>>> which
>>> groups they expect. Some (e.g. dnsmasq) will call useradd and 
>>> groupadd in
>>> their
>>> .install files. But syslog-ng, for example, by default creates log 
>>> files
>>> 640
>>> root:log...
>>> 
>>> Also, I just wonder, do you have systemd installed at all?
>>> 
>>> Cheers,
>>> --
>>> Leonid Isaev
>>> GPG fingerprints: DA92 034D B4A8 EC51 7EA6  20DF 9291 EE8A 043C B8C4
>>>                   C0DF 20D0 C075 C3F1 E1BE  775A A7AE F6CB 164B 5A6D
>>> 


More information about the arch-general mailing list