lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Wed, 17 May 2017 13:02:22 +0200
From:   Michal Hocko <mhocko@...nel.org>
To:     Pavel Machek <pavel@....cz>
Cc:     Jingoo Han <jingoohan1@...il.com>,
        Lee Jones <lee.jones@...aro.org>, linux-fbdev@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: setting brightness as privileged operation?

On Fri 12-05-17 11:47:12, Pavel Machek wrote:
> On Fri 2017-05-12 08:20:04, Michal Hocko wrote:
> > On Thu 11-05-17 23:07:55, Pavel Machek wrote:
> > > On Thu 2017-01-05 10:23:07, Michal Hocko wrote:
> > > > Hi,
> > > > I have just learned that my Xfce Power Manager cannot manipulate
> > > > brightness because I do not have policykit installed on my computer.
> > > > There is a reason for that (yeah it depends on systemd which I prefer
> > > > not have).
> > > > 
> > > > While this is clearly a problem of the Xfce applet I am wondering why
> > > > setting the brightness has to be a privileged operation at all. Is there
> > > > any strong reason for it or just a general policy that we do not give
> > > > world writable files into sysfs?
> > > 
> > > Well, if you have another user logged in using ssh, and changing _your_
> > > brightness, that will be somehow annoying, right?
> > 
> > I am pretty sure that such a user can do much larger harm than playing
> > with brigtness of my LCD. Anyway I went with my own rc.local hack.
> 
> Can he? Those are bugs to be fixed. We don't want them in kernel...

Good luck with that whack a mole. But more seriously. Having an
untrusted user on a system requires many measures including a very
restricted access to mounted filesystems to contain such a user.
Something tells me that /sys is one of the first candidate to deny
access to.

Instead it seems that we enforce people to use policy kit and other crap
to allow to use my HW as I want. I will not argue more here, I have a
workaround for me but this is just weird...
-- 
Michal Hocko
SUSE Labs

Powered by blists - more mailing lists