[Pkg-utopia-devel] pmount stuff

Martin Pitt martin@piware.de
Thu, 28 Oct 2004 09:00:20 +0200 

--H8ygTp4AXg6deix2
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi!

Sjoerd Simons [2004-10-27 19:22 +0200]:
>     * pmount in debian is currently executable by everyone, don't think t=
hats
>       very nice (Spoke to martin this afternoon, he's going to poll d-dev=
el)

In Ubuntu, execution is restricted to members of a group 'plugdev'.
This group controls access to hotpluggable devices, like USB/FireWire
drives, digital cameras, and so on. Being executable to everyone is
not really nice, but at least not really a risk, since pmount's policy
is currently very strict.

Also, removable devices's dev nodes are group-owned by 'plugdev'
instead of 'disk' (with a small udev patch); with this, hal does not
need to run in group 'disk' to read out device labels and file
systems. We wanted to avoid 'disk' because it is essentially
equivalent to root.

I would be glad if Debian accepts this strategy as well. It clearly
separates drives which can be accessed by users (USB and the like)
=66rom system drives (which are still 'disk' and thus unaccessible by
the Utopia stuff). This provides a clean and low-level security
boundary. The mere idea that something as unsafe as hal is able to
mess up my system drives makes me shudder...

>     * It seems that pmount just tries various filesystems, but g-v-m alre=
ady
>       knows the filesystem type from hal. Probably would be nice if we co=
uld
>       give this info to pmount (i think trying several types causes at le=
ast
>       kernel warnings)

I can add such an option, if it is desired.

>     * According to pmounts documentations about umount:
>       - <device> is mounted according to /etc/mtab and /proc/mounts with =
the
>         calling user's uid
>=20
>       but that isn't checked in the code. I'm able to umount every disk in
>       /media as normal user...

It is checked in the code, see policy.c, device_mounted():

    if( mounted && expect && uid > 0 && (uid_t) uid !=3D getuid() ) {
        fprintf( stderr, "Error: device %s was not mounted by you\n", devic=
e );
        return 0;
    }

When I install the current Debian version, other users can indeed not
unmount a device.=20

May it be possible that you tried the Ubuntu version instead? This
indeed contains a patch which disables the check, because we needed a
quick workaround for allowing hal to pumount devices which were ripped
out without proper unmounting. This hack will disappear in Hoary, I
will fix g-v-m to do the unmounting instead (but this involves
nontrivial changes).

>     * With hal 0.4.0 fstab-sync uses some policy information from the hal
>       database, like whether it should be mounted sync and a suggested
>       mountpoint.=20

Controlling the sync flag is indeed on my wishlist (and I also have an
assigned bug: https://bugzilla.ubuntulinux.org/show_bug.cgi?id=3D2386).
I thought about adding a --nosync option to accomodate that.

>       Would be nice if there was some way to use this info to pmount..
>       But i don't think the setuid binary should link in hal, maybe a
>       hal_pmount wrapper program ?=20

No, please nothing of this sort. I think g-v-m should be responsible
to be the bridge between hal and pmount. g-v-m already reads out the
hal stuff and calls pmount, so the option passing should be
implemented there as well IMHO.

Have a nice day!

Martin

--=20
Martin Pitt                       http://www.piware.de
Ubuntu Developer            http://www.ubuntulinux.org
Debian GNU/Linux Developer       http://www.debian.org

--H8ygTp4AXg6deix2
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBgJkEDecnbV4Fd/IRAl9gAJ9mml2KSDk35JoaZmA/nZUmYjAtFACfXx4d
Oo6jE5La1SvurTsbWaLl2kU=
=muEp
-----END PGP SIGNATURE-----

--H8ygTp4AXg6deix2--