Users and Groups

Les Mikesell lesmikesell at gmail.com
Sat Dec 8 18:17:31 UTC 2007 

Mikkel L. Ellertson wrote:

>> I'm arguing that whether you have access to those devices should depend
>> on who you are, not where you are, just like every other unix operation
>> checks pre-established settings for user and group values against
>> pre-established settings on every file and device when opening them.  It
>> shouldn't be determined by whether you are able to touch a certain
>> keyboard.
>>
> It adds one more level of control. Instead of a user being able to
> access a device from anywhere, you can limit access to when they are
> actually at the machine.

But the 'console' isn't something special in a multiuser system. 
Personally, I do almost all Linux work through NX/freenx, remote X, or 
ssh connections.  I may be near enough to want to use speakers or CD 
devices but not using the attached keyboard - if there is one.

> Just like you can do for running some
> programs. If you only run servers, then it is probably not useful to
> you.

There is not a clear line between a server and a desktop.  For me, the 
'desktop' may only be running X or NX.

 > For desktop users, it can be very useful. It can also be a
> security measure.

If you throw away the concepts of remote access and multiuser operation.

> For example, You may want to set it up so the user
> that is syncing their PDA is the only one that can access it.
> Because they have to be at the local console to use the sync cradle,
> you limit the access to the local user.

Like I said, I may be 'near' a machine but not using its keyboard.

> There are a lot of resources that were not available in the original
> UNIX systems, or were not usable by a normal user, that users
> commonly use today. Because of this, Linux handles some resources in
> ways that user/group permission are nto the best choice. Arguments
> that boil down to "it has always been done that way" are not going
> to cut it.

It's not _just_ that it has always been done that way - it was done that 
way for good reasons and it doesn't make much sense to dumb down an 
elegant system designed for multiuser and network access and pretend it 
can only be accessed for certain things if you happen to be typing at a 
certain keyboard.  As an _option_ that you could active if you happen to 
have that sort of situation and don't care about network/remote access 
it would make sense, but it is throwing away a lot to pretend that it is 
only designed to be used from one special device and make the other 
things break by default.

-- 
   Les Mikesell
    lesmikesell at gmail.com

More information about the users mailing list