Arch Linux

dolby

Member

From: 1992

Registered: 2006-08-08

Posts: 1,581

Usefulness of adding users to groups

Is adding users to groups any useful if you are using desktop environments, especiallly KDE and GNOME?

---

There shouldn't be any reason to learn more editor types than emacs or vi -- mg (1)
[You learn that sarcasm does not often work well in international forums.  That is why we avoid it. -- ewaller (arch linux forum moderator)

brebs

Member

Registered: 2007-04-03

Posts: 3,742

Re: Usefulness of adding users to groups

$ groups
lp cdrom audio video games wheel usb plugdev users vboxusers

(Different distro, but useful perspective).

So yeah, it's useful, otherwise I couldn't run 3D ("video" group), games ("games" group, although IIRC Arch doesn't bother with this), or even play audio.

As to why these groups exist, which is probably your second question - it's the whole "layers of security" thing.

dolby

Member

From: 1992

Registered: 2006-08-08

Posts: 1,581

Re: Usefulness of adding users to groups

$groups
dolby

Different distro but useful perspective
I can play audio, games and i have 3d.

Isnt polkit used in Arch?

Fine read http://lwn.net/Articles/258592/

---

There shouldn't be any reason to learn more editor types than emacs or vi -- mg (1)
[You learn that sarcasm does not often work well in international forums.  That is why we avoid it. -- ewaller (arch linux forum moderator)

brebs

Member

Registered: 2007-04-03

Posts: 3,742

Re: Usefulness of adding users to groups

polkit has gone crazy with its new reliance on Javascript. Not KISS, and not wanted.

Which reminds me, I should probably look again at removing PAM.

65kid

Member

From: Germany

Registered: 2011-01-26

Posts: 663

Re: Usefulness of adding users to groups

If you are using ConsoleKit or systemd-logind you don't need to be in any of those audio/video etc. groups, polkit will take care of it. I personally only use "sudo" and "adm" (to use journalctl).

and while I don't agree with the whole "consolekit and/or polkit are bloat", I do agree that the decision to use JavaScript to write rules is ridiculous. but that's kind of off-topic...

dolby

Member

From: 1992

Registered: 2006-08-08

Posts: 1,581

Re: Usefulness of adding users to groups

Thats what i thought. My interest for bringing this up is that the Arch Wiki has the stuff about groups carved all over the place when in many of those situations its not needed. For example the beginners guide:
https://wiki.archlinux.org/index.php/Be … stallation
but my intent was for this discussion to reach a wider audience, otherwise i would have edited the wiki.

edit: Yes i know that not all people are using polkit and the like.

Last edited by dolby (2012-09-22 15:42:17)

---

There shouldn't be any reason to learn more editor types than emacs or vi -- mg (1)
[You learn that sarcasm does not often work well in international forums.  That is why we avoid it. -- ewaller (arch linux forum moderator)

WonderWoofy

Member

From: Los Gatos, CA

Registered: 2012-05-19

Posts: 8,414

Re: Usefulness of adding users to groups

I have always used groups, and never even thought about the fact that polkit would take care of these things.  I guess there are a few that I really do need to be in, like kvm (kernel virtual machines), tty (so that I can use directfb driven stuff without root), cdemu (its just a neat program),   and sys (so that I can fix my printers w/o root). 

But I guess the typical optical, video, audio, etc are not longer needed w/ polkit?  Sounds neat to me!

65kid

Member

From: Germany

Registered: 2011-01-26

Posts: 663

Re: Usefulness of adding users to groups

I have always used groups, and never even thought about the fact that polkit would take care of these things.  I guess there are a few that I really do need to be in, like kvm (kernel virtual machines), tty (so that I can use directfb driven stuff without root), cdemu (its just a neat program),   and sys (so that I can fix my printers w/o root). 

But I guess the typical optical, video, audio, etc are not longer needed w/ polkit?  Sounds neat to me!

actually kvm works fine here without the group too.

falconindy

Developer

From: New York, USA

Registered: 2009-10-22

Posts: 4,111

Website

Re: Usefulness of adding users to groups

I have always used groups, and never even thought about the fact that polkit would take care of these things.  I guess there are a few that I really do need to be in, like kvm (kernel virtual machines), tty (so that I can use directfb driven stuff without root), cdemu (its just a neat program),   and sys (so that I can fix my printers w/o root). 

But I guess the typical optical, video, audio, etc are not longer needed w/ polkit?  Sounds neat to me!

actually kvm works fine here without the group too.

That's courtesy of udev and ACLs -- nothing to do with polkit.

$ getfacl /dev/kvm 
getfacl: Removing leading '/' from absolute path names
# file: dev/kvm
# owner: root
# group: kvm
user::rw-
user:noclaf:rw-
group::rw-
mask::rw-
other::---

---

blog | ±github

65kid

Member

From: Germany

Registered: 2011-01-26

Posts: 663

Re: Usefulness of adding users to groups

I have always used groups, and never even thought about the fact that polkit would take care of these things.  I guess there are a few that I really do need to be in, like kvm (kernel virtual machines), tty (so that I can use directfb driven stuff without root), cdemu (its just a neat program),   and sys (so that I can fix my printers w/o root). 

But I guess the typical optical, video, audio, etc are not longer needed w/ polkit?  Sounds neat to me!

actually kvm works fine here without the group too.

That's courtesy of udev and ACLs -- nothing to do with polkit.

$ getfacl /dev/kvm 
getfacl: Removing leading '/' from absolute path names
# file: dev/kvm
# owner: root
# group: kvm
user::rw-
user:noclaf:rw-
group::rw-
mask::rw-
other::---

Ah, interesting. so udev/ACL takes care of device node permissions and polkit is only for actions like "mount external disk" and "set up the network" (NetworkManager)?
So what is responsible for actually setting the ACLs when I log in? ConsoleKit/logind? PAM?

falconindy

Developer

From: New York, USA

Registered: 2009-10-22

Posts: 4,111

Website

Re: Usefulness of adding users to groups

It's a two part process:

1) udev rules tag devices with "uaccess" and "seat". These are devices which are possible candidates for unprivileged access.
2) On new session creation, logind or consolekit (udev-acl) applies ACLs based on authentication of the session (at_console rules, etc).

---

blog | ±github

65kid

Member

From: Germany

Registered: 2011-01-26

Posts: 663

Re: Usefulness of adding users to groups

It's a two part process:

1) udev rules tag devices with "uaccess" and "seat". These are devices which are possible candidates for unprivileged access.
2) On new session creation, logind or consolekit (udev-acl) applies ACLs based on authentication of the session (at_console rules, etc).

you never stop learning, thanks for the explanation.

WonderWoofy

Member

From: Los Gatos, CA

Registered: 2012-05-19

Posts: 8,414

Re: Usefulness of adding users to groups

It's a two part process:

1) udev rules tag devices with "uaccess" and "seat". These are devices which are possible candidates for unprivileged access.
2) On new session creation, logind or consolekit (udev-acl) applies ACLs based on authentication of the session (at_console rules, etc).

you never stop learning, thanks for the explanation.

Yeah, I did not expect to get such amazing info from this thread

cfr

Member

From: Cymru

Registered: 2011-11-27

Posts: 7,152

Re: Usefulness of adding users to groups

Does the application of ACLs by logind/consolekit apply to file systems where they are not specified, as with regular permissions? That is, aren't specific ACLs set for directories and files in the same way that permissions are i.e. they are part of the files' attributes?

[I'm not expressing this question very well.]

---

CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

bwat47

Member

Registered: 2009-10-07

Posts: 638

Re: Usefulness of adding users to groups

$ groups
lp cdrom audio video games wheel usb plugdev users vboxusers

(Different distro, but useful perspective).

So yeah, it's useful, otherwise I couldn't run 3D ("video" group), games ("games" group, although IIRC Arch doesn't bother with this), or even play audio.

As to why these groups exist, which is probably your second question - it's the whole "layers of security" thing.

You don't even need the audio group if you run pulseaudio

WonderWoofy

Member

From: Los Gatos, CA

Registered: 2012-05-19

Posts: 8,414

Re: Usefulness of adding users to groups

You don't even need the audio group if you run pulseaudio

I think this thread actually indicates you don't need the audio group (or a few others) if you run consolekit/polkit.

dolby

Member

From: 1992

Registered: 2006-08-08

Posts: 1,581

Re: Usefulness of adding users to groups

So now that systemd is becoming the default (replacing consolekit) are there any groups that are actually needed?

---

There shouldn't be any reason to learn more editor types than emacs or vi -- mg (1)
[You learn that sarcasm does not often work well in international forums.  That is why we avoid it. -- ewaller (arch linux forum moderator)

HerbertJones

Member

Registered: 2012-10-04

Posts: 3

Re: Usefulness of adding users to groups

Yes. You need "games" to run Dwarf Fortress.

Last edited by HerbertJones (2012-10-04 08:55:36)