On Tue, 10 Oct 2006 11:20:26 +0200 Gabor Gombas <[EMAIL PROTECTED]> wrote:
> On Tue, Oct 10, 2006 at 09:36:56AM +0200, Tim Dijkstra wrote: > > > That is no longer a reality with groups like plugdev, powerdev and > > netdev, which users need to be a member of to be able to get the wonders > > of automatically mounted usb-sticks, tweakable power management and > > whatever comes with the utopia stack. > > Then use pam_group to temporarily assign those groups to users. That way > the gids can be different on every system, and you can even gain > performance by having less groups in LDAP. Hmm, pam_group doesn't sound to secure to me... what if on one machine gid 110 is www-data and on another plugdev. Then if a user logs in on the second machine it will get access to gid 110, make some suid executable, which on another machine ... Well the nfs mount is nosuid, but still, I find this a bit scary. > Especially if you have more than a handful of users (and if you are > considering LDAP, I assume you have), groups with hudreds or thousands of > members can cause headaches. But this is of course true... grts Tim -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
