You are not logged in.

#1 2012-09-22 13:41:39

dolby
Member
From: 1992
Registered: 2006-08-08
Posts: 1,581

Usefulness of adding users to groups

Is adding users to groups any useful if you are using desktop environments, especiallly KDE and GNOME?


There shouldn't be any reason to learn more editor types than emacs or vi -- mg (1)
[You learn that sarcasm does not often work well in international forums.  That is why we avoid it. -- ewaller (arch linux forum moderator)

Offline

#2 2012-09-22 14:06:46

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: Usefulness of adding users to groups

$ groups
lp cdrom audio video games wheel usb plugdev users vboxusers

(Different distro, but useful perspective).

So yeah, it's useful, otherwise I couldn't run 3D ("video" group), games ("games" group, although IIRC Arch doesn't bother with this), or even play audio.

As to why these groups exist, which is probably your second question - it's the whole "layers of security" thing.

Offline

#3 2012-09-22 14:28:17

dolby
Member
From: 1992
Registered: 2006-08-08
Posts: 1,581

Re: Usefulness of adding users to groups

$groups
dolby

Different distro but useful perspective smile
I can play audio, games and i have 3d.

Isnt polkit used in Arch?

Fine read http://lwn.net/Articles/258592/


There shouldn't be any reason to learn more editor types than emacs or vi -- mg (1)
[You learn that sarcasm does not often work well in international forums.  That is why we avoid it. -- ewaller (arch linux forum moderator)

Offline

#4 2012-09-22 14:41:01

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: Usefulness of adding users to groups

polkit has gone crazy with its new reliance on Javascript. Not KISS, and not wanted.

Which reminds me, I should probably look again at removing PAM.

Offline

#5 2012-09-22 15:08:39

65kid
Member
From: Germany
Registered: 2011-01-26
Posts: 663

Re: Usefulness of adding users to groups

If you are using ConsoleKit or systemd-logind you don't need to be in any of those audio/video etc. groups, polkit will take care of it. I personally only use "sudo" and "adm" (to use journalctl).

and while I don't agree with the whole "consolekit and/or polkit are bloat", I do agree that the decision to use JavaScript to write rules is ridiculous. but that's kind of off-topic... wink

Offline

#6 2012-09-22 15:26:24

dolby
Member
From: 1992
Registered: 2006-08-08
Posts: 1,581

Re: Usefulness of adding users to groups

Thats what i thought. My interest for bringing this up is that the Arch Wiki has the stuff about groups carved all over the place when in many of those situations its not needed. For example the beginners guide:
https://wiki.archlinux.org/index.php/Be … stallation
but my intent was for this discussion to reach a wider audience, otherwise i would have edited the wiki.

edit: Yes i know that not all people are using polkit and the like.

Last edited by dolby (2012-09-22 15:42:17)


There shouldn't be any reason to learn more editor types than emacs or vi -- mg (1)
[You learn that sarcasm does not often work well in international forums.  That is why we avoid it. -- ewaller (arch linux forum moderator)

Offline

#7 2012-09-22 15:33:12

WonderWoofy
Member
From: Los Gatos, CA
Registered: 2012-05-19
Posts: 8,414

Re: Usefulness of adding users to groups

I have always used groups, and never even thought about the fact that polkit would take care of these things.  I guess there are a few that I really do need to be in, like kvm (kernel virtual machines), tty (so that I can use directfb driven stuff without root), cdemu (its just a neat program),   and sys (so that I can fix my printers w/o root). 

But I guess the typical optical, video, audio, etc are not longer needed w/ polkit?  Sounds neat to me!

Offline

#8 2012-09-22 15:54:31

65kid
Member
From: Germany
Registered: 2011-01-26
Posts: 663

Re: Usefulness of adding users to groups

WonderWoofy wrote:

I have always used groups, and never even thought about the fact that polkit would take care of these things.  I guess there are a few that I really do need to be in, like kvm (kernel virtual machines), tty (so that I can use directfb driven stuff without root), cdemu (its just a neat program),   and sys (so that I can fix my printers w/o root). 

But I guess the typical optical, video, audio, etc are not longer needed w/ polkit?  Sounds neat to me!

actually kvm works fine here without the group too. smile

Offline

#9 2012-09-22 16:35:57

falconindy
Developer
From: New York, USA
Registered: 2009-10-22
Posts: 4,111
Website

Re: Usefulness of adding users to groups

65kid wrote:
WonderWoofy wrote:

I have always used groups, and never even thought about the fact that polkit would take care of these things.  I guess there are a few that I really do need to be in, like kvm (kernel virtual machines), tty (so that I can use directfb driven stuff without root), cdemu (its just a neat program),   and sys (so that I can fix my printers w/o root). 

But I guess the typical optical, video, audio, etc are not longer needed w/ polkit?  Sounds neat to me!

actually kvm works fine here without the group too. smile

That's courtesy of udev and ACLs -- nothing to do with polkit.

$ getfacl /dev/kvm 
getfacl: Removing leading '/' from absolute path names
# file: dev/kvm
# owner: root
# group: kvm
user::rw-
user:noclaf:rw-
group::rw-
mask::rw-
other::---

Offline

#10 2012-09-22 16:47:47

65kid
Member
From: Germany
Registered: 2011-01-26
Posts: 663

Re: Usefulness of adding users to groups

falconindy wrote:
65kid wrote:
WonderWoofy wrote:

I have always used groups, and never even thought about the fact that polkit would take care of these things.  I guess there are a few that I really do need to be in, like kvm (kernel virtual machines), tty (so that I can use directfb driven stuff without root), cdemu (its just a neat program),   and sys (so that I can fix my printers w/o root). 

But I guess the typical optical, video, audio, etc are not longer needed w/ polkit?  Sounds neat to me!

actually kvm works fine here without the group too. smile

That's courtesy of udev and ACLs -- nothing to do with polkit.

$ getfacl /dev/kvm 
getfacl: Removing leading '/' from absolute path names
# file: dev/kvm
# owner: root
# group: kvm
user::rw-
user:noclaf:rw-
group::rw-
mask::rw-
other::---

Ah, interesting. so udev/ACL takes care of device node permissions and polkit is only for actions like "mount external disk" and "set up the network" (NetworkManager)?
So what is responsible for actually setting the ACLs when I log in? ConsoleKit/logind? PAM?

Offline

#11 2012-09-22 17:05:55

falconindy
Developer
From: New York, USA
Registered: 2009-10-22
Posts: 4,111
Website

Re: Usefulness of adding users to groups

It's a two part process:

1) udev rules tag devices with "uaccess" and "seat". These are devices which are possible candidates for unprivileged access.
2) On new session creation, logind or consolekit (udev-acl) applies ACLs based on authentication of the session (at_console rules, etc).

Offline

#12 2012-09-22 17:13:27

65kid
Member
From: Germany
Registered: 2011-01-26
Posts: 663

Re: Usefulness of adding users to groups

falconindy wrote:

It's a two part process:

1) udev rules tag devices with "uaccess" and "seat". These are devices which are possible candidates for unprivileged access.
2) On new session creation, logind or consolekit (udev-acl) applies ACLs based on authentication of the session (at_console rules, etc).

you never stop learning, thanks for the explanation. smile

Offline

#13 2012-09-22 20:33:05

WonderWoofy
Member
From: Los Gatos, CA
Registered: 2012-05-19
Posts: 8,414

Re: Usefulness of adding users to groups

65kid wrote:
falconindy wrote:

It's a two part process:

1) udev rules tag devices with "uaccess" and "seat". These are devices which are possible candidates for unprivileged access.
2) On new session creation, logind or consolekit (udev-acl) applies ACLs based on authentication of the session (at_console rules, etc).

you never stop learning, thanks for the explanation. smile

Yeah, I did not expect to get such amazing info from this thread smile

Offline

#14 2012-09-22 22:24:31

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: Usefulness of adding users to groups

Does the application of ACLs by logind/consolekit apply to file systems where they are not specified, as with regular permissions? That is, aren't specific ACLs set for directories and files in the same way that permissions are i.e. they are part of the files' attributes?

[I'm not expressing this question very well.]


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#15 2012-09-22 22:50:26

bwat47
Member
Registered: 2009-10-07
Posts: 638

Re: Usefulness of adding users to groups

brebs wrote:

$ groups
lp cdrom audio video games wheel usb plugdev users vboxusers

(Different distro, but useful perspective).

So yeah, it's useful, otherwise I couldn't run 3D ("video" group), games ("games" group, although IIRC Arch doesn't bother with this), or even play audio.

As to why these groups exist, which is probably your second question - it's the whole "layers of security" thing.

You don't even need the audio group if you run pulseaudio smile

Offline

#16 2012-09-23 00:21:57

WonderWoofy
Member
From: Los Gatos, CA
Registered: 2012-05-19
Posts: 8,414

Re: Usefulness of adding users to groups

bwat47 wrote:

You don't even need the audio group if you run pulseaudio smile

I think this thread actually indicates you don't need the audio group (or a few others) if you run consolekit/polkit.

Offline

#17 2012-09-23 00:22:47

dolby
Member
From: 1992
Registered: 2006-08-08
Posts: 1,581

Re: Usefulness of adding users to groups

So now that systemd is becoming the default (replacing consolekit) are there any groups that are actually needed?


There shouldn't be any reason to learn more editor types than emacs or vi -- mg (1)
[You learn that sarcasm does not often work well in international forums.  That is why we avoid it. -- ewaller (arch linux forum moderator)

Offline

#18 2012-10-04 08:54:51

HerbertJones
Member
Registered: 2012-10-04
Posts: 3

Re: Usefulness of adding users to groups

Yes. You need "games" to run Dwarf Fortress.

Last edited by HerbertJones (2012-10-04 08:55:36)

Offline

Board footer

Powered by FluxBB