signature.ascDescription: OpenPGP digital signature
|
| From: | Philip Hands |
| Subject: | Re: [Fsfe-uk] Linux for Kids Briefi |
| Date: | Fri, 01 Oct 2004 12:41:34 +0100 |
| User-agent: | Mozilla Thunderbird 0.7.3 (X11/20040830) |
Dominic Hargreaves wrote:
Uhm, how is this going to be better? At best it will be no worse than a poorly configured pam_console hack, since at least you /might/, with said hack, restrict access to the bona fide "owner" of the data on removable drives. If you just put everyone is a group that can read the device all the time you have lost completely.
Ah, now you're coming up with a different justification for doing that.By default, the files on a mounted CD are world readable, so restricting who can mount it doesn't get you what you're asking for. To achieve that with pam_console, you'd also have to have it tweak the options in /etc/fstab to set the mask and uid settings, which would make it even more disgusting in my view (and considerably more complicated, bug prone etc.).
I suppose if I wanted to do what you describe I'd write a mount wrapper that sets the permissions on the contents using mount's uid/gid/mask options, and then use sudo to ensure only the right people are allowed to run that script as root.
If you're willing to turn Linux into a single-user system, then pam_console fits right in, but I'd say that the fact that it makes the system's behaviour variable means that it's likely to make the system less reliable, and less predictable.
To make a feeble effort at dragging this back on topic, I'd say that the reason that the few children I know seem to have no interest in finding out how computers work is that they've been exposed mostly to MS systems, which behave somewhat randomly, and therefore give the impression of being run by magic, and incomprehensible.
I'd say you've got a much better chance of explaining that a device is only accessible because of group permissions, possibly via a script that enables that access, than having to dive into the fact that every time you log in some of PAM has rummaged with your system to make it seem more friendly than it really is. I suppose pam_console makes me bristle because it gives rise to surprising behaviour.
Let's say that you explain to your child that when they asked you to log in to look at something else via ssh, that you broke their access to the CD, and that in future if that happens and you're not around, they should log out and back in again to fix it. Does that make the system sound like it's likely to be easily understandable, and worth investigating further?
On the other hand, if you say "Ah, the reason you were not allowed to do that is because you're not a member of the cdrom group, I'll add you to that group, and that problem will be solved forever".
If you say that pam_console shouldn't do that for ssh logins, then you have to explain to your child why when they ssh between machines that they can do everything they can normally do on the machine, oh, except mount a CD, etc. etc.
Cheers, Phil.
signature.asc
Description: OpenPGP digital signature
| [Prev in Thread] | Current Thread | [Next in Thread] |