Privileges
|
Size: 10324
Comment: add note on first user and initial groups
|
Size: 10774
Comment: add note on libvirt
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 26: | Line 26: |
| || Use libvirt virtualization solution || X (session) || || || X (system) || | |
| Line 157: | Line 158: |
| == Use libvirt virtualization solution == All users can connect to the unprivileged libvirt ```session```. Allowing connections to the privileged libvirt ```system``` is gained by adding the user to the "libvirtd" group. Users in the "admin" group are automatically added to this group on package installation. |
This page is a work in progress.
Contents
- Matrix
- Access external storage devices
- Access internal storage devices
- Administer the system
- Use sudo to administer the system
- Configure printers
- Connect to the Internet using a modem
- Connect to wireless and ethernet networks
- Monitor system logs
- Mount user-space filesystems (FUSE)
- Send and receive faxes
- Share files with the local network
- Use audio devices
- Use CD-ROM drives
- Use floppy drives
- Use modems
- Use tape drives
- Use video devices
- Use Bluetooth devices
- Use libvirt virtualization solution
- Use VirtualBox virtualization solution
- Use Checkbox
- Communicate with HAL (deprecated?)
- Use Network Manager
- Check for new printers
- Install new software
- Install security updates
- Install software updates
- Change CPU frequency scaling
- Change the system clock
Matrix
Privilege |
Everyone |
At console |
Desktop User |
Administrator1 |
Access external storage devices |
|
|
X |
X |
Access internal storage devices |
|
|
|
X |
Administer the system |
|
|
|
X (w/password) |
Use sudo to administer the system |
|
|
|
X (w/password) |
Configure printers |
|
|
|
X |
Connect to the Internet using a modem |
|
|
|
X |
Connect to wireless and ethernet networks |
|
|
|
|
Monitor system logs |
|
|
X |
X |
Mount user-space filesystems (FUSE) |
|
|
X |
X |
Send and receive faxes |
|
|
X |
X |
Share files with the local network |
|
|
|
X |
Use audio devices |
|
|
|
|
Use CD-ROM drives |
|
|
X |
X |
Use floppy drives |
|
|
X |
X |
Use modems |
|
|
X |
X |
Use tape drives |
|
|
X |
X |
Use video devices |
|
|
X |
X |
Use Bluetooth devices |
|
X |
|
|
Use libvirt virtualization solution |
X (session) |
|
|
X (system) |
Use VirtualBox virtualization solution |
|
|
|
|
Use Checkbox |
|
X |
|
|
Communicate with HAL (deprecated?) |
|
X |
|
|
Use Network Manager |
|
X |
|
|
Check for new printers |
|
X |
|
|
Install new software |
|
|
|
X (w/password) |
Install security updates |
|
|
|
X (w/password) |
Install software updates |
|
|
|
X (w/password) |
Change CPU frequency scaling |
|
|
|
X |
Change the system clock |
|
|
|
X |
In a default Desktop installation, the first user on the system is considered an administrator, and as of Ubuntu 10.04 LTS is a member of the following groups: adm, dialout, cdrom, plugdev, lpadmin, admin, sambashare
Access external storage devices
This right is gained by adding the user to the "plugdev" group.
Users in the "plugdev" group can send commands to HAL (this is probably deprecated). (Ref.: /etc/dbus-1/system.d/hal.conf)
TODO: See what else "plugdev" can do, and how it restricts access to the storage devices.
Access internal storage devices
This right is gained by adding the user to the "admin" group.
Users in the "admin" group can access internal storage devices. (Ref.: /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla)
Administer the system
This right is gained by adding the user to the "admin" group.
Users in the "admin" group can use sudo to gain administrative privileges after supplying their password. (Ref.: /etc/sudoers)
The "admin" group is configured to be the PolicyKit "administrator authentication" group. (Ref.: /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf)
Use sudo to administer the system
This right is gained by adding the user to the "admin" group.
Users in the "admin" group can use sudo to gain administrative privileges after supplying their password. (Ref.: /etc/sudoers)
Beginning with Ubuntu 10.04 LTS, this right can also be granted by adding the user to the "sudo" group for compatibility reasons with Debian.
Configure printers
This right is gained by adding the user to the "lpadmin" group.
Cups contains a setting called "SystemGroup" in the /etc/cusp/cupsd.conf that specifies who is allowed to manage printers. By default, it is set to "lpadmin".
Connect to the Internet using a modem
This right is gained by adding the user to the "dip" group.
The "dip" group can launch pppd and access ppp configuration files in /etc.
Connect to wireless and ethernet networks
This right is gained by adding the user to the "netdev" group.
On Debian, the "netdev" group gains access to using Network Manager. On Ubuntu, Network Manager access rights are gained by being at the system console, so the name of this entry in gnome-system-tools is misleading.
The "netdev" group can administer wicd and wpasupplicant.
The "netdev" group can set the avahi host name using DBus.
The "netdev" group can administer Bluetooth devices.
Monitor system logs
This right is gained by adding the user to the "adm" group.
The "adm" group has access to most of the log files in /var/log, although a lot of them are readable by everyone.
Mount user-space filesystems (FUSE)
This right is gained by adding the user to the "fuse" group.
The "fuse" group can access the /dev/fuse device, but so can everyone else.
The "fuse" group can read the /etc/fuse.conf file.
TODO: See how the "fuse" group gains access to mount FUSE filesystems. (Is this enforced?)
Send and receive faxes
This right is gained by adding the user to the "fax" group.
Share files with the local network
This right is gained by adding the user to the "sambashare" group.
The "sambashare" group can access the /var/lib/samba/usershares directory.
Use audio devices
This right is gained by adding the user to the "audio" group.
TODO: The "audio" group owns some of the audio devices in /dev, but it's unclear what rights this gains.
Use CD-ROM drives
This right is gained by adding the user to the "cdrom" group.
The "cdrom" group owns the CD-ROM devices in /dev.
TODO: It appears the devices also have extended attributes. Investigate.
Use floppy drives
This right is gained by adding the user to the "floppy" group.
Use modems
This right is gained by adding the user to the "dialout" group.
The "dialout" group owns the /dev/ttyS* devices and can read the /etc/wvdial.conf file.
Use tape drives
This right is gained by adding the user to the "tape" group.
Use video devices
This right is gained by adding the user to the "video" group.
The "video" group can access /dev/fb0.
Use Bluetooth devices
All users at the console can talk to Bluetooth devices using DBus. (Ref.: /etc/dbus-1/system.d/bluetooth.conf)
Use libvirt virtualization solution
All users can connect to the unprivileged libvirt session. Allowing connections to the privileged libvirt system is gained by adding the user to the "libvirtd" group. Users in the "admin" group are automatically added to this group on package installation.
Use VirtualBox virtualization solution
This right is gained by adding the user to the "vboxusers" group.
Use Checkbox
All users at the console can talk to the Checkbox backend using DBus. (Ref.: /etc/dbus-1/system.d/com.ubuntu.checkbox.conf)
Communicate with HAL (deprecated?)
All users at the console can communicate with the HAL daemon using DBus. Is this deprecated? (Ref.: /etc/dbus-1/system.d/hal.conf)
Use Network Manager
All users at the console can manage Ethernet, wireless and 3G networks using Network Manager via DBus. (Ref.: /etc/dbus-1/system.d/NetworkManager.conf, /etc/dbus-1/system.d/nm-applet.conf)
Check for new printers
All users at the console can check for new printers by communicating with hplip using DBus. (Ref.: /etc/dbus-1/system.d/newprinternotification.conf)
Install new software
This right is gained by adding the user to the "admin" group.
The user must type in his password before installing new software.
TODO: detail how software installing works for the different front-ends.
Install security updates
This right is gained by adding the user to the "admin" group.
The user must type in his password before installing security updates.
TODO: detail how security update installation works for the different front-ends.
Install software updates
This right is gained by adding the user to the "admin" group.
The user must type in his password before installing software updates.
TODO: detail how software update installing works for the different front-ends.
Change CPU frequency scaling
This right is gained by adding the user to the "admin" group. (Ref.: /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla)
Change the system clock
This right is gained by adding the user to the "admin" group. (Ref.: /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla)
Security/Privileges (last edited 2010-05-05 13:56:34 by modemcable144)