Hi Debian developers! I am currently responsible for developing the GNOME Utopia stack for Ubuntu and closely work together with Sjoerd Simons who maintains the Debian packages (gnome-volume-manager, hal). Upstream's idea of automatic USB/FireWire device handling is as follows: the "hal" daemon runs as root, is notified by hotplug about added/removed devices, and adds/removes lines to /etc/fstab for these devices. This allows gnome-volume-manager to mount/unmount hotpluggable devices as normal user. However, I was not satisfied with this solution because of several reasons: 1. Hal's concept is to be a hardware database; it should be policy free and not actually change anything in the system. 2. I do not like programs who mess with a central configuration file like /etc/fstab. A crash at the wrong time, and your system is unbootable. 3. In the last months I found so many segfaults in hal that I outright refuse to let hal run as root. Besides, previous versions allowed all users to modify any key in the database, so it could not be trusted anyway. Even now hal has so many bugs that I feel it is insane to run it as root. I made some modifications to hald which allows it to run as normal user 'hal' with some additional privileges (group membership and kernel capabilities). These modifications went upstream. 4. The security policy of Ubuntu implies that we strictly separate system volumes and user accessible drives. An administrator must be able to trust the integrity of his system partitions (/, /home, /usr, and so on). OTOH, one cannot put any trust in removable devices (USB/FireWire/PCMCIA/CD-ROMs) anyway, so users can do with them whatever they want. So the Ubuntu approach is a bit different: we let hal run as normal user, do not modify /etc/fstab at all and instead use a program called 'pmount' (policy mount) that allows normal users to mount removable devices without an /etc/fstab entries. pmount is now in Debian sid and contains some documentation about the particular policy and features. This concentrates the amount of code that runs as root to a minimum and solves points (1) to (3). Of course hal, gnome-volume-manager and gnome-vfs2 have to be adapted to work with pmount, but this work has been done in Ubuntu and it is easy to port it to Debian proper. We solved (4) by introducing a new group called 'plugdev'. Every user who is a member of this group can access hotpluggable devices (digital cameras, USB drives etc.). pmount can only be executed by members of this group (it is root:plugdev 750), hal runs in this group to be able to detect file systems (but it does not run in 'disk'), and udev assigns the 'plugdev' group to removable devices (static drives remain in group 'disk'). BTW, we also use 'plugdev' for libgphoto (IIRC Debian uses 'camera' for that). This approach has worked great for some months now, and the stable Ubuntu release 4.10 (Warty Warthog) contains it. The Hoary tree (Sid equivalent) contains many enhancements and hotpluggable devices work better than ever before. I would really like to propagate the same approach to Debian. Sjoerd seems to be open to it, but since it involves the addition of a new group and also an udev change, this decision is not confined to the two of us, so I would like to discuss that before. Thanks in advance for comments and have a nice day! Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntulinux.org Debian GNU/Linux Developer http://www.debian.org
Attachment:
signature.asc
Description: Digital signature