dev/kmem, that has given the name to this group, was also readable by this group, but is currently disabled by default for security reasons.ĭialout: Full and direct access to serial ports. This is mostly a BSD relic, but any programs that need direct read access to the system's memory can thus be made SETGID kmem. Kmem: /dev/mem and /dev/port are readable by this group. Programs that need to be able to write to it are SETGID utmp.ĭisk: Raw access to disks. Utmp: This group can write to /var/run/utmp and similar files.
Some programs that need to be able to access the file are SETGID shadow. Shadow: /etc/shadow is readable by this group. Compare with group "adm", which is more related to monitoring/security. Staff: Allows users to add local modifications to the system (/usr/local) without needing root privileges (note that executables in /usr/local/bin are in the PATH variable of any user, and they may "override" the executables in /bin and /usr/bin with the same name). This is used by write and wall to enable them to write to other people's TTYs, but it is not intended to be used directly. Tty: TTY devices are owned by this group.
(See the default configuration in /etc/sudoers) Sudo: Members of this group can execute any command with sudo or pkexec. Render: This group can be used locally to give a set of users access to a rendering device (like the framebuffer, or videocard). Video: This group can be used locally to give a set of users access to a video device (like a webcam). Tape: This group can be used locally to give a set of users access to a tape drive.Īudio: This group can be used locally to give a set of users access to an audio device (the soundcard or a microphone). Starting with Debian 8 (Jessie) it is not used anymore for USB and flash memories. Netdev: Members of this group can manage network interfaces through the network manager and wicd.Ĭdrom: This group can be used locally to give a set of users access to a CDROM drive and other optical drives.įloppy: This group can be used locally to give a set of users access to a floppy drive and other removable (non-optical) drives (like USB flash drives). Plugdev: Allows members to mount (only with the options nodev and nosuid, for security reasons) and umount removable devices through pmount. Systemd-journal: Since Debian 8 (Jessie), members of this group can use the command journalctl and read log files of systemd (in /var/log/journal). Historically, /var/log was /usr/adm (and later /var/adm), thus the name of the group. Members of this group can read many log files in /var/log, and can use xconsole. Scanner : Members of this group can enable and use scanners.Īdm: Group adm is used for system monitoring tasks. Lpadmin (LPADMIN): Allows members to manage printers and pending jobs sent by other users. Lp (LP): Members of this group can enable and use printers. The following groups grant privileges to their members.
Wikipedia Roland Dreier answer on unbuntu Even though in theory it is safe for anyone to use rdma due to kernel protection.Īlso, RDMA often requires increasing the amount of locked memory allowed in /etc/security/nf, and doing that by group "rdma" is convenient as well. Users that are running high-performance jobs would need access to these device nodes it makes sense to me that administrators would not necessarily want to allow all users to have direct access to do things that might interfere with other jobs on a high-performance network. dev/infiniband/rdma_cm crw-rw- root rdma Part of RDMA is "kernel bypass," which allows userspace process direct access to hardware registers to reduce latency and CPU overhead in performing RDMA operations. RDMA stands for "remote direct memory access," and it is a type of high performance networking implemented by ?InfiniBand and some 10 GbE adapters. For instance a user that creates an infinite depth filesystem in order to fool updatedb.
#Limit standard accounts ubuntu code
Moreover they are a past problem in the FUSE kernel code that lead to DoS.įilesystem created by FUSE are not visible by other user including root in order to avoid DoS. Starting with Debian 8 (Jessie), /dev/fuse is world-writeable by default.įUSE could lead to local DoS for instance creating file a la /dev/null with random content. Users are allowed to use FUSE if they can read and write to /dev/fuse. This is achieved by running the file system code in user space, while the FUSE module provides a "bridge" to the actual kernel interfaces.įUSE can be used to write virtual filesystems. Filesystem in Userspace (FUSE) is a filesystem that allows non-privileged users to create their own file systems without editing the kernel code.
0 kommentar(er)
