In practice, the "camera" group should be added by the driver (or whatever) install script, or maybe by the OS installer. Adding the user to the "camera" group would usually be the job of a wrapper around /usr/sbin/useradd or other admin tools. Usually, I would expect the distro to set up permissions that are apropriat4e for their intended audience (i.e. desktop vs multiuser-server vs "other").
On my gentoo desktop, my user account is in many groups for this very reason:
$ grep pdkl95 /etc/group | cut -d: -f1 | sort | column
audio deskmsg plugdev sshpermit video
cdrom floppy portage usb wheel
cron games postgres users
davfs2 pdkl95 realtime vboxusers
Often, I find that when someone claims that the user/group system is too restrictive, they haven't considered simply adding more groups.
> login in locally
> login in remotely
You would use PAM(8) for this. One method would be to use pam_group(8), by putting something like this in the appropriate /etc/pam.d/ config file, such as /etc/pam.d/login
auth optional pam_group.so
...and configure /etc/security/group.conf (see group.conf(5)) with something like:
gdm; *; *; Al0000-2400; camera
This way, the people that login with gdm are added to the "camera" group. Again, this is something I would expect desktop-focused distros to setup, at least for the common stuff.
> wireless network connectivity as the machine moves?
That would be a local permission, generally, which would be covered by a setup similar to what I describe above. Even if the computer moves, it is still the logged in (possibly through a suspend) user that needs permission to configure a network interface.
> some would be saying that modern Linux is outdated
...and I would reply that those people probably need to spend some more time researching how to fully utilize the user/group system and PAM. While there are a few cases where the UNIX style of permission is insufficient, they are rarely encountered on a typical desktop or simple server. In the case of the common single-user laptop where the one user is also the "admin", there only granularity you need is a description of when they should be prompted to be become root, which is trivial using basic user/group permissions.
On my gentoo desktop, my user account is in many groups for this very reason:
Often, I find that when someone claims that the user/group system is too restrictive, they haven't considered simply adding more groups.> login in locally > login in remotely
You would use PAM(8) for this. One method would be to use pam_group(8), by putting something like this in the appropriate /etc/pam.d/ config file, such as /etc/pam.d/login
...and configure /etc/security/group.conf (see group.conf(5)) with something like: This way, the people that login with gdm are added to the "camera" group. Again, this is something I would expect desktop-focused distros to setup, at least for the common stuff.> wireless network connectivity as the machine moves?
That would be a local permission, generally, which would be covered by a setup similar to what I describe above. Even if the computer moves, it is still the logged in (possibly through a suspend) user that needs permission to configure a network interface.
> some would be saying that modern Linux is outdated
...and I would reply that those people probably need to spend some more time researching how to fully utilize the user/group system and PAM. While there are a few cases where the UNIX style of permission is insufficient, they are rarely encountered on a typical desktop or simple server. In the case of the common single-user laptop where the one user is also the "admin", there only granularity you need is a description of when they should be prompted to be become root, which is trivial using basic user/group permissions.