From: dimke.fax@uni.de   
      
   Hi,   
      
   Aragorn wrote:   
      
   > On Wednesday 05 November 2014 07:57, Markus R. Keßler conveyed the   
   > following to alt.os.linux.mandriva...   
   >   
   >> Hi everyone,   
   >>   
   >> for security purposes, I usually distinguish between higher and lower   
   >> risk users in Mandriva (and SuSE also).   
   >>   
   >> I log in into X.11 / GDM / KDE as the user who needs maximum rights,   
   >> and other users which I need for firefox with flash contents (for   
   >> webbased learning, video conferences etc) are just logged in via shell   
   >> window and "su - newuser" and then starting firefox or opera under   
   >> that user.   
   >>   
   >> This works fine and any attack would run only with very limited user   
   >> rights, but in this case I cannot access /dev/dsp etc from this new   
   >> user.   
   >   
   > What are the permissions on /dev/dsp, /dev/video, et al?   
      
   [668 dimke@ansgar ~]$ ll /dev/dsp   
   crw-rw----+ 1 root audio 14, 3 2014-11-05 07:26 /dev/dsp   
      
   [669 dimke@ansgar ~]$ ll /dev/video0   
   crw-rw----+ 1 root video 81, 0 2014-11-05 12:26 /dev/video0   
      
   [670 dimke@ansgar ~]$ /usr/bin/getfacl /dev/dsp   
   getfacl: Removing leading '/' from absolute path names   
   # file: dev/dsp   
   # owner: root   
   # group: audio   
   user::rw-   
   user:dimke:rw-   
   group::rw-   
   mask::rw-   
   other::---   
      
   [671 dimke@ansgar ~]$ /usr/bin/getfacl /dev/video0   
   getfacl: Removing leading '/' from absolute path names   
   # file: dev/video0   
   # owner: root   
   # group: video   
   user::rw-   
   user:dimke:rw-   
   group::rw-   
   mask::rw-   
   other::---   
      
      
   >> It seems to me that access to audio devices is set via ACL during   
   >> logging in into graphical session.   
   >   
   > I must admit that I haven't checked on that, but it's possible.  Another   
   > trick - which Mandrake/Mandriva /used to/ apply in the past is change   
   > ownership of /dev/dsp and friends on-the-fly, depending on who was   
   > logged in via kdm.   
   >   
   > Something you have to keep in mind if you decide to change the   
   > permissions and/or ownership of files under /dev is that they reside on   
   > tmpfs, so the changes will not persist across reboots.   
   >   
   > Of course, you could change ownership via a boot-up script, but I'm no   
   > expert on systemd.  As I gather, it does have compatibility with   
   > sysvinit, so it should be able to run the equivalent of an rc.local -   
   > perhaps local.service or something of that nature?   
      
   Thanks, best regards,   
      
   Markus   
   --   
   Please reply to group only.   
   For private email please use http://www.dipl-ing-kessler.de/email.htm   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)