[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Introducing pmount in Debian / New plugdev group

Hi Debian developers!

I am currently responsible for developing the GNOME Utopia stack for
Ubuntu and closely work together with Sjoerd Simons who maintains the
Debian packages (gnome-volume-manager, hal).

Upstream's idea of automatic USB/FireWire device handling is as
follows: the "hal" daemon runs as root, is notified by hotplug about
added/removed devices, and adds/removes lines to /etc/fstab for these
devices. This allows gnome-volume-manager to mount/unmount
hotpluggable devices as normal user.

However, I was not satisfied with this solution because of several

1. Hal's concept is to be a hardware database; it should be policy free
   and not actually change anything in the system.

2. I do not like programs who mess with a central configuration file
   like /etc/fstab. A crash at the wrong time, and your system is

3. In the last months I found so many segfaults in hal that I outright
   refuse to let hal run as root. Besides, previous versions allowed
   all users to modify any key in the database, so it could not be
   trusted anyway. Even now hal has so many bugs that I feel it is
   insane to run it as root.
   I made some modifications to hald which allows it to run as normal
   user 'hal' with some additional privileges (group membership and
   kernel capabilities). These modifications went upstream.

4. The security policy of Ubuntu implies that we strictly separate
   system volumes and user accessible drives. An administrator must be
   able to trust the integrity of his system partitions (/, /home,
   /usr, and so on). OTOH, one cannot put any trust in removable
   devices (USB/FireWire/PCMCIA/CD-ROMs) anyway, so users can do with
   them whatever they want.

So the Ubuntu approach is a bit different: we let hal run as normal
user, do not modify /etc/fstab at all and instead use a program
called 'pmount' (policy mount) that allows normal users to mount
removable devices without an /etc/fstab entries. pmount is now in
Debian sid and contains some documentation about the particular policy
and features. This concentrates the amount of code that runs as root
to a minimum and solves points (1) to (3). Of course hal,
gnome-volume-manager and gnome-vfs2 have to be adapted to work with
pmount, but this work has been done in Ubuntu and it is easy to port
it to Debian proper.

We solved (4) by introducing a new group called 'plugdev'. Every user
who is a member of this group can access hotpluggable devices (digital
cameras, USB drives etc.). pmount can only be executed by members of
this group (it is root:plugdev 750), hal runs in this group to be able
to detect file systems (but it does not run in 'disk'), and udev
assigns the 'plugdev' group to removable devices (static drives remain
in group 'disk').

BTW, we also use 'plugdev' for libgphoto (IIRC Debian uses 'camera'
for that).

This approach has worked great for some months now, and the stable
Ubuntu release 4.10 (Warty Warthog) contains it. The Hoary tree (Sid
equivalent) contains many enhancements and hotpluggable devices work
better than ever before.

I would really like to propagate the same approach to Debian. Sjoerd
seems to be open to it, but since it involves the addition of a new
group and also an udev change, this decision is not confined to the
two of us, so I would like to discuss that before.

Thanks in advance for comments and have a nice day!


Martin Pitt                       http://www.piware.de
Ubuntu Developer            http://www.ubuntulinux.org
Debian GNU/Linux Developer       http://www.debian.org

Attachment: signature.asc
Description: Digital signature

Reply to: