Re: [OT] Problem restricting user privileges in ubuntu 7.10
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/13/08 20:56, Raj Kiran Grandhi wrote:
> Rich Healey wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Raj Kiran Grandhi wrote:
>>> Sorry for the non debian-specific post.
>>>
>>> I am facing some trouble in disabling user access to external storage
>>> devices on a ubuntu 7.10 system. I have created an unprivileged user,
>>> 'guest'. The user is not a member of any other group than the default.
>>>
>>> $ id guest
>>> uid=1001(guest) gid=1001(guest) groups=1001(guest)
>>>
>>> With this setup, I would expect that 'guest' does not have any access to
>>> removable storage media like cdroms and usb flash drives. However, when
>>> I plug in a usb flash disk while logged in as 'guest', the disk is
>>> automagically mounted and nautilus happily displays it contents. Same
>>> for cdroms.
>>>
>>> I have found that this behaviour is present with both the default
>>> install as well as with all security updates installed.
>>>
>>> Neither my home computer running sid or the one at work running etch
>>> exhibit this problem. In both, I get a plain permission denied error
>>> when I try to do anything fancy with external media and I have to
>>> explicitly add user to the plugdev group to allow access.
>>>
>>> How can I achieve something similar in ubuntu? This appears to be such a
>>> trivial issue but I have no clue as to how to go about it.
>>>
>>> Thank you,
>>> Raj Kiran Grandhi
>>>
>>>
>> a) this is the DEBIAN list.
>
> Sorry for that Rich. But I did apologize in advance and mark my message
> with an [OT] :)
>
> I have not had much luck with the ubuntu list. Google could not help me
> either and I needed to resolve this issue as soon as possible. Since
> ubuntu is almost, but not quite, entirely based on sid, I was hoping
> someone on this list would have an idea as to how the whole thing works
> in the background.
>
>> b) alter your udev/hal/automount/whatever's mounting the device rules to
>> mount it 750.. whatever you want but with 0 in the other permission byte.
>
> I am fairly certain that it is hal that is doing the automount (nautilus
> calls gnome-mount which in turns calls hal) The device gets mounted with
> the permissions 700 and owned by the unprivileged user. However, the
> permissions of the mount are not the issue. The fact that the device is
> getting mounted inspite of the user not belonging to the plugdev group is.
>
> As a hack, I can try changing the ownership and permissions of
> gnome-mount to root:plugdev, 750. Shall try that when I get to office.
I don't think that's going to work.
When I (running Sid) insert a thumb drive, this is what the device
looks like:
$ dir /dev/sdc1
brw-rw---- 1 root floppy 8, 33 2008-03-13 21:53 /dev/sdc1
and this is what the relevant mtab entry looks like:
$ cat /etc/mtab | grep sdc1
/dev/sdc1 /media/disk vfat \
rw,nosuid,nodev,uhelper=hal,shortname=lower,uid=1000 0 0
It really appears to me that in this case that Ubuntu is too
different from Debian.
BTW, this is what happens when I try to unmount a thumb drive that
was mounted at boot:
$ umount -v /media/disk
/sbin/umount.hal: Unmounting /media/disk failed:
org.freedesktop.Hal.Device.PermissionDeniedByPolicy:
org.freedesktop.hal.storage.unmount-others no <-- (privilege, result)
<pause>
This "root@haggis:/etc# rgrep floppy *" led me to
/etc/udev/permissions.rules which has these 2 lines in them:
# all block devices on these buses are "removable"
SUBSYSTEM=="block", SUBSYSTEMS=="usb|ieee1394|mmc|pcmcia", \
GROUP="floppy"
So, I'd look to see what the Ubuntu version of that file says.
- --
Ron Johnson, Jr.
Jefferson LA USA
"Working with women is a pain in the a**."
My wife
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFH2eyRS9HxQb37XmcRAvSuAKCYgzNTj19f5MDSb1w2ICge/9B15wCg2NUx
vgCweHXdZJQQyo4hQU8fu7Q=
=l0hh
-----END PGP SIGNATURE-----
Reply to: