Nick Sayer <[EMAIL PROTECTED]> writes:
> Cyrille Lefevre wrote:
>
> > Nick Sayer <[EMAIL PROTECTED]> writes:
> >
> > > Cyrille Lefevre wrote:
> > >
> > > > Poul-Henning Kamp <[EMAIL PROTECTED]> writes:
> > > >
> > > > > In message <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
>wri
> > > > > tes:
> > > > >
> > > > > >So what does everyone think? Is it suitable to add a read only
> > > > > >sysctl 'machdep.apm_powerstate' that reports either AC, nn%,
> > > > > >or N/A ? Or should the format be numeric (999 = AC, <=100 = battery %,
> > > > > >-1 = N/A)? Or should we not bother? :-)
> > > > >
> > > > > yes it is suitable.
> > > >
> > > > isn't it the job of one of the apm options ? such as apm -l ?
> > >
> > > The problem with that is that it requires permission to open /dev/apm, after
>which
> > > one also has permission to suspend the machine or do other mischief.
> > > A separate interface allows us to specify a means to look up read-only
> > > information without special permissions. Also, sysctl is not only a command
> > > line interface, it is available to programs as well, and is a simpler interface
> > > then open/ioctl/close.
> >
> > what about :
> >
> > echo apm::70: >> /etc/group
> > chgrp apm /dev/apm /usr/sbin/apm
> > chmod g=640 /dev/apm
> > chmod g+s /usr/sbin/apm
>
> Users or programs in group apm would still have permission to suspend the
> machine. Suspending the machine is an operation demanding a far higher level
> of machine access than simply checking the state of the batteries, in my
> opinion. Once you have an open file descriptor on /dev/apm, you can perform
> any ioctl you like on it. This way, privileges on /dev/apm can be closely held,
> and mere power meters don't have to be sgid.
well. as you said before, you just want a read-only sysctl. if the driver is not
secure. it's not my fault. it shouldn't be so complicated to secure it.
do you now if the permissions sets using make_dev() in i386/apm/apm.h are
used at a upper level ? or if the driver must do the job itself.
CC: to the original mailing-list.
Cyrille.
--
home:mailto:[EMAIL PROTECTED] Supprimer "%no-spam" pour me repondre.
work:mailto:[EMAIL PROTECTED] Remove "%no-spam" to answer me back.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
