[EMAIL PROTECTED] (Sam Hartman) writes: > The problem is fairly simple. Some of our users actually want to use > their systems once they get it installed.
;-) > Perhaps when Debian and the FHS originally made this decision, users > could be expected to simply add themselves to groups if they noticed > they needed the permissions associated with these groups. However as > Debian has gained appeal to a wider audience and as peoples' > expectations of usability increase, users want more reasonable > default behavior. If we're talking about single-user machines with a graphics card for a console, then I certainly agree. We need to be careful to avoid a change that makes things worse (less secure, etc) for headless systems like servers, though. > The Redhat pam_console module does seem to do roughly what we want . The idea of conditionalizing access rights on the basis of whether a user currently controls "the console" feels to me like exactly the right way to approach this issue. I haven't studied pam_console, and so don't have a strong opinion on whether it's the right hunk of code or not. Bdale