[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Introducing pmount in Debian / New plugdev group

On Wed, Nov 10, 2004 at 04:43:41PM +0100, Martin Pitt wrote:
> Marco d'Itri [2004-11-10 14:19 +0100]:
> > > Our /etc/udev/udev.rules has two new rules directly after the cdrom
> > > and floppy rules:

> > > # put removable IDE/SCSI devices into group 'plugdev' instead of 'disk'
> > > BUS="scsi", KERNEL="sd[a-z]*", PROGRAM="/etc/udev/removable.sh %k", RESULT="1", NAME="%k", MODE="0660", GROUP="plugdev"
> > > BUS="ide", KERNEL="hd[a-z]*", PROGRAM="/etc/udev/removable.sh %k", RESULT="1", NAME="%k", MODE="0660", GROUP="plugdev"

> > What about I ship the script in udev (as /etc/udev/scripts/removable.sh)
> > and your package install the rules file? Or udev provides the rules file
> > too and your package enables it by creating the symlink?

> I was not sure whether it is valid that packages put their scripts
> into /etc/udev/rules.d. But I would be fine to leave udev.rules
> untouched and have pmount ship /etc/udev/rules.d/z_plugdev.rules (z_
> because it must be executed after the standard rules; if it is
> executed earlier, CD-ROM and floppy nodes will also be in plugdev,
> which is not intended).

But don't CD-ROM and floppy devices also need the same sort of pmount
support you're proposing here? After all, you can hot-swap the media in
them, so it seems reasonable to me that they can be pmounted? What's the
rationale for _not_ including these in the pmount infrastructure you're

Hmm. Now that I think about it, surely the plugdev group would have to
be given using pam_console so that remote users in the plugdev group
can't remotely stomp on the USB memory stick the local user just put in,
before they could mount it?

In _that_ case, cdrom and floppy strike me as _very_ appropriate for the
same treatment, and the local administrator could add appropriate people
directly to those groups for things like a headless server where someone
whacks in a USB stick, and then wanders back to their laptop to access
it. This would close (to my mind) a security hole in systems where both
local and remote users have access.

Paul "TBBle" Hampson, MCSE
7th year CompSci/Asian Studies student, ANU
The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361)

"No survivors? Then where do the stories come from I wonder?"
-- Capt. Jack Sparrow, "Pirates of the Caribbean"

This email is licensed to the recipient for non-commercial
use, duplication and distribution.

Attachment: signature.asc
Description: Digital signature

Reply to: