File: README

package info (click to toggle)
resmgr 1.0-2sarge2
  • links: PTS
  • area: main
  • in suites: sarge
  • size: 308 kB
  • ctags: 313
  • sloc: ansic: 3,165; sh: 556; makefile: 109
file content (94 lines) | stat: -rw-r--r-- 2,812 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
 


Overview
========

This is a resource manager that will provide unprivileged users
access to device files. This is a common problem for people
writing hardware drivers etc that should be used by "ordinary"
users, such as usb cameras, scanners, CD writers, audio devices,
etc etc.

There are several aproaches to this issue

 -	make the devices accessible to everyone. This is
 	probably the simplest approach. The down side is
	these devices will always be accessible, even if
	another user is sitting at the console. Another
	problem with this approach is that it doesn't deal
	with hotplug devices (usb, pcmcia).

	Third, there's no way to audit user access to
	devices.

 -	make the devices accessible to a group. This
 	is just a variation of the above.

 -	make your application setuid root. This is a very common
	approach, but causes security problems very frequently. This
	approach should be considered deprecated.

 -	use a pam module and/or the xdm script framework
 	(TakeConsole/GiveConsole) to change the ownership
	of various devices to desktop users upon login,
	and change it back to root when they log out.

	This solves the first problem above, but doesn't
	deal with hotplug devices either.

One solution to this is to create a resource manager daemon
that will open the devices on behalf of the user, and pass
the file descriptor to the user's application via an AF_LOCAL
socket. This is what resmgr does.

resmgr solves all three problems listed above. It does create
a new problem, however, which is that you need to patch your
software to add resmgr support.


Basic Concept
=============

When started, the resmgr daemon reads its access control and
device information from its configuration file, and creates
the server socket.

When a user logs in, a pam module (pam_resmgr) will tell resmgr to create
a session for that user. Optionally, it can ask resmgr to grant the user
access to a specific group of devices (called a resource class). The
user will then be allowed to access all devices within that class.

When hotplug devices are attached, the hotplug subsystem can tell the
resource manager to add the device to a specific resource class; likewise,
when the device is detached it can call the resource manager and ask it
to remove the device from the group.


Location of source code
=======================

The source code to resmgr is available from the following location

	ftp://ftp.lst.de/pub/people/okir/resmgr

This directory also contains patches for various applications to
enable resmgr support.


Further Information
===================

Additional information can be found in the manpages in the doc/
subdirectory.


Thanks
======

Many thanks to Marcus Meissner for testing and improving resmgr!


Author
======

resmgr was written by Olaf Kirch <okir@suse.de>