Re: Introducing pmount in Debian / New plugdev group

[Henning Makholm <henning@makholm.net>]

Scripsit Paul.Hampson@anu.edu.au (Paul Hampson)
> On Tue, Nov 09, 2004 at 06:41:40PM +0100, Martin Pitt wrote:

> > We solved (4) by introducing a new group called 'plugdev'. Every user
> > who is a member of this group can access hotpluggable devices (digital
> > cameras, USB drives etc.). pmount can only be executed by members of
> > this group (it is root:plugdev 750),

This must be be a typo. Surely such a program would need to be suid
root, i.e. mode 4750 was meant rather than 750. In a Debian package
it should have mode 4754; there is no reason to deny unprivileged
users *reading* the binary as long as they cannot use the suid i-node
to execute it. Policy §10.9, fifth paragraph.

> Hmm. What's to stop a user fetching their own version of the pmount
> binary?

Nothing, anymore than there is something to stop a user compiling such
a program himself. However, the kernel ought to stop said user from
saving his binary in a file owned by root. As long as it's not owned
and suid by root it cannot be used to do privileged operations.

> If so, then a+x mode is safe, and directed by Debian Policy (I think. If
> not, it's in the Developer's Reference as a good idea).

The point of not having a+x is to allow the sysadmin to control who
gets the privilege of using pmount.

-- 
Henning Makholm       "`Update' isn't a bad word; in the right setting it is
                 useful. In the wrong setting, though, it is destructive..."