Introduction
This page list the different system groups used on a debian system. System group are special purpose groups used for system operation like backup, maintenance or for granting access to hardware. They are the low gid of the system group database.
Description
fuse
Description
Filesystem in Userspace (FUSE) is filesystem that allows non-privileged users to create their own file systems without editing the kernel code. This is achieved by running the file system code in user space, while the FUSE module only provides a "bridge" to the actual kernel interfaces.
Fuse could be used in order to write virtual filesystem like for instance a wikibased filesystem.
User are allowed to use fuse if they could read and write to /dev/fuse ie they are in group fuse on debian system.
Permissions
/dev/fuse crw-rw---- root fuse
Security implications
Fuse could lead to local dos for instance creating file a la /dev/null with random content. Moreover they are past problem in the fuse kernel code that lead to dos.
Filesystem created by fuse are not visible by other user including root in order to avoid dos. For instance an user that create an infinite depth filesystem in order to fool updatedb.
More Information
rdma
Description
From Roland Dreier
RDMA stands for "remote direct memory access," and it is a type of high performance networking implemented by ?InfiniBand and some 10 GbE adapters. Part of RDMA is "kernel bypass," which allows userspace process direct access to hardware registers to reduce latency and CPU overhead in performing RDMA operations. wikipedia has a more complete overview.
Permissions
/dev/infiniband/rdma_cm crw-rw---- root rdma
Security implications
Users that are running high-performance jobs would need access to these device nodes; it makes sense to me that administrators would not necessarily want to allow all users to have direct access to do things that might interfere with other jobs on a high-performance network. Even though in theory it is safe for anyone to use rdma due to kernel protection.
Also, RDMA often requires increasing the amount of locked memory allowed in /etc/security/limits.conf, and doing that by group "rdma" is convenient as well.
More information
wikipedia Roland Dreier answer on unbuntu
Page Copyright |
|
License |
GPLv2 or later at your option |
Authors |
Bastien Roucaries |
see DebianWiki/LicencingTerms for info about wiki content copyright.