There is about a hundred of devices in /dev (ls /dev/* | wc -l returns me 1016) and debian provides only 40 groups.
It shows that an admin doesn't have a fine control of distributing tasks to some other users w/o giving too much power. For example, to give access to a SCSI HD to a particular user, an admin must do addgroup <user> disk and the user is able to mofify 444 devices (ls -l /dev/* | grep disk | wc -l) which is too much. So, to do a secure thing, the sysadmin must play with chown & chgrp on a lot of device which isn't clear. Another example : I've a scsi scanner which is compatible with sane and everyone knows that a scanner uses /dev/sg* Here are my /dev/sg* : crw------- 1 root root 21, 0 Jul 21 1998 /dev/sg0 crw------- 1 root root 21, 1 Jul 21 1998 /dev/sg1 crw------- 1 root root 21, 2 Jul 21 1998 /dev/sg2 crw------- 1 root root 21, 3 Jul 21 1998 /dev/sg3 crw------- 1 root root 21, 4 Jul 21 1998 /dev/sg4 crw------- 1 root root 21, 5 Jul 21 1998 /dev/sg5 crw------- 1 root root 21, 6 Jul 21 1998 /dev/sg6 crw------- 1 root root 21, 7 Jul 21 1998 /dev/sg7 So, only root is able to use these device and if I want to scan as a simple user, I must do as root (my scanner is /dev/sg1) addgroup sg chown root.sg /dev/sg* chmod 660 /dev/sg* addgroup <user> sg and it should work. But I think that this method isn't clean because we change the Debian defaults and Debian should be adapted to the software it distributes. OK, you can say that it's the admin task but it would be more clean to do this and the admin can't do everything. For example, if the dpkg database.... would be like an email spool, owned by a group called pkg for example, root could give the package management to a specific user. For now, even if the admin does addgroup pkg chown -R root.pkg /var/lib/dpkg chmod -R g+.... dpkg will say that it needs root. What I say is maybe stupid but it would be really simpler et efficient to divide the system into a multitude of groups. I know that a user can't be part of more than 32 groups too, so it's impossible to make many groups. As a result, the only thing to do, I think, is to remove the 32 groups per user limit and make the more groups we can, associating the rights to these groups. -- | . ICQ : 25529539 | | |\ | | | \ / AIM : linhax |___ | | \| |__| / \ IRC nick : linhax Sami Dalouche : [EMAIL PROTECTED] DHIS : pingoo.dhis.org
