[desktop-discuss] requirement for identifying a console user in RBAC

[Lin Ma]

Hi,

Currently we can see there are lots of requirements in system user-level
for identifying a console user especially in the scope of admin tools,
e.g. gnome-sys-suspend, gpm, nwam, etc. I think those tools would like
to give console user the priviledge to use them. I know now we have to
check the owner of /dev/console to identify in each application if
necessary. But to be Solaris RBAC compliable, we'd better to use an
auth_attr like solaris.device.console[.session] or whatever.

So I think the best way is to hack login application (dtlogin, gdm,
ttymon, etc). I've talked with Riny, he think all the login applications
finally invoke console_role_log[in|out] to change the owner of
/dev/console. If so, I think we can change those function to add the
auth which I mentioned above to the login user. Riny told me if we have
the requirement, we can set up a discussion to change those functions
since they (Riny and his team) own them.

But here're some tech issues. Since all the changes happen in user
land. So I take a quick look of /usr/man/man3secdb (note I'm not good at
SEC), I found there are no functions supporting temporary change the
auths of a user. But in one of them mentioned libsecdb has an internal
storage (I guess I can say it cache) of sec related information for a
user. Since permanently changing /etc/user_attr for a console user is
not a good idea, so maybe we need assistance of security team to evolve
them.

(We may make things complicate if we like. e.g. append a special
role to a console user)

Is it possible? Comments?

lin 

-- 
x82120 / +86 10 82618200