Debian Bug report logs - #653760
consolekit conflicts with device user groups (introduces regression, fails to deliver functionality)

version graph

Package: consolekit; Maintainer for consolekit is Robert Millan <rmh@debian.org>; Source for consolekit is src:consolekit.

Reported by: "C. Gatzemeier" <c.gatzemeier@tu-bs.de>

Date: Fri, 30 Dec 2011 19:33:02 UTC

Severity: normal

Found in version consolekit/0.4.1-4

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#653760; Package consolekit. (Fri, 30 Dec 2011 19:33:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to "C. Gatzemeier" <c.gatzemeier@tu-bs.de>:
New Bug report received and forwarded. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Fri, 30 Dec 2011 19:33:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "C. Gatzemeier" <c.gatzemeier@tu-bs.de>
To: submit@bugs.debian.org
Subject: consolekit conflicts with device user groups (introduces regression, fails to deliver functionality)
Date: Fri, 30 Dec 2011 20:30:36 +0100
Package: consolekit
Version: 0.4.1-4

On the general level:
Consolekit seems to switches permissions on devices,
but it does not support, actually conflicts, with the unix/debian way of
limiting the access to devices with user groups.

On the specific level:
Consolekit fails to switch permissions for sound devices, if a
member of the audio group is logged in and the console user
changes ("fast user switching").
A more specific bug description is "Only one user gets sound with
privilege "Use audio devices" [the audio group]" Details at:
https://bugs.launchpad.net/ubuntu/+source/consolekit/+bug/433654

For a brief explanation see: https://wiki.ubuntu.com/Audio/TheAudioGroup


Debian will have to come to a general decision on how to solve the
issue.

The consolekit docs seem to suggest to drop the hardware groups
altogether, and thus stop admins from being able to grant permissions
to just some users (privileged users allowed to make announcements for
example) simply by managing group memberships.

Yet, this does not seem to integrate well for a universal OS used for
systems of a broad range of sizes and complexities.

Another solution that avoids this conflict and regression may
be to let consolekit respect the audio group (and other
hardware groups) and only give a console user access if found in the
appropriate group. As well as find a way to switch permissions between
users that are in the group.

Some specific ideas at gentoo:
http://archives.gentoo.org/gentoo-dev/msg_c5ea1c211d36bf8823ea5cb8ab40ca07.xml





Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#653760; Package consolekit. (Sat, 31 Dec 2011 10:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "C. Gatzemeier" <c.gatzemeier@tu-bs.de>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Sat, 31 Dec 2011 10:45:05 GMT) Full text and rfc822 format available.

Message #10 received at 653760@bugs.debian.org (full text, mbox):

From: "C. Gatzemeier" <c.gatzemeier@tu-bs.de>
To: 653760@bugs.debian.org
Subject: switching permissions
Date: Sat, 31 Dec 2011 11:52:51 +0100
Not sure if this is the way it works or it could work:

To deliver proper consolekit functionality even with audio group
members present:
If consolekit is installed and enabled, disable (udev?)
to set the ownership of sound devices to the audio group.
(policy: "give precedence to console users")

Then, if the console user is a member of the audio, let consolekit set
the sound device ownership to the private group of the console user
(root:<user>)

This should avoid the conflict and not give access to unprivileged
console users, yet enable exclusive access for one privileged console
user, which may still individually decide to share its pulseaudio?
socket with other users.

Remember there may be multiple seats per machine. In this case, the
first console user to login may be given exclusive access
by default, but each console user should be able to request
exclusive access from devicekit? and get it if the device is not used.
If the device is in use, access depends on the permissions the first
user grants to others. Additionally, a "shared-console"? group
could be introduced to provide the option to grant all console users
shared group access to the sound device? Consolekit checking against
the group and adding the members to ACLs?




Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#653760; Package consolekit. (Sat, 31 Dec 2011 11:18:14 GMT) Full text and rfc822 format available.

Acknowledgement sent to "C. Gatzemeier" <c.gatzemeier@tu-bs.de>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Sat, 31 Dec 2011 11:18:19 GMT) Full text and rfc822 format available.

Message #15 received at 653760@bugs.debian.org (full text, mbox):

From: "C. Gatzemeier" <c.gatzemeier@tu-bs.de>
To: 653760@bugs.debian.org
Subject: group names
Date: Sat, 31 Dec 2011 12:24:11 +0100
It may be preferable to keep the traditional meaning of the audio group
and use new ones for the consolekit behavior.

consolekit (may be granted access to devices if sitting at seat x)
audio		  (access even if not at a console)
consolekit-audio  (access even if not alone at console)




Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#653760; Package consolekit. (Sat, 31 Dec 2011 11:33:18 GMT) Full text and rfc822 format available.

Acknowledgement sent to "C. Gatzemeier" <c.gatzemeier@tu-bs.de>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Sat, 31 Dec 2011 11:33:19 GMT) Full text and rfc822 format available.

Message #20 received at 653760@bugs.debian.org (full text, mbox):

From: "C. Gatzemeier" <c.gatzemeier@tu-bs.de>
To: 653760@bugs.debian.org
Subject: Re: group names
Date: Sat, 31 Dec 2011 12:40:58 +0100
more systematically:

audio (access even if not at a console)

consolekit (may be granted access to devices if sitting at seat x)
consolekit-audio (access only to audio)

consolekit-shared (device access even if not alone at console)
consolekit-shared-audio (shared access only to audio)




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 06:43:05 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.