Re: [OT] Problem restricting user privileges in ubuntu 7.10
On Fri, Mar 14, 2008 at 8:40 AM, Ron Johnson <ron.l.johnson@cox.net> wrote:
> > I am fairly certain that it is hal that is doing the automount (nautilus
> > calls gnome-mount which in turns calls hal) The device gets mounted with
> > the permissions 700 and owned by the unprivileged user. However, the
> > permissions of the mount are not the issue. The fact that the device is
> > getting mounted inspite of the user not belonging to the plugdev group is.
> >
> > As a hack, I can try changing the ownership and permissions of
> > gnome-mount to root:plugdev, 750. Shall try that when I get to office.
>
> I don't think that's going to work.
>
> When I (running Sid) insert a thumb drive, this is what the device
> looks like:
> $ dir /dev/sdc1
> brw-rw---- 1 root floppy 8, 33 2008-03-13 21:53 /dev/sdc1
> and this is what the relevant mtab entry looks like:
> $ cat /etc/mtab | grep sdc1
> /dev/sdc1 /media/disk vfat \
> rw,nosuid,nodev,uhelper=hal,shortname=lower,uid=1000 0 0
>
> It really appears to me that in this case that Ubuntu is too
> different from Debian.
>
> BTW, this is what happens when I try to unmount a thumb drive that
> was mounted at boot:
>
> $ umount -v /media/disk
> /sbin/umount.hal: Unmounting /media/disk failed:
> org.freedesktop.Hal.Device.PermissionDeniedByPolicy:
> org.freedesktop.hal.storage.unmount-others no <-- (privilege, result)
>
$ ls -l /dev/sdc1
brw-rw---- 1 root plugdev 8, 33 2008-03-14 09:28 /dev/sdc1
$ grep sdc1 /etc/mtab
/dev/sdc1 /media/rajkiran vfat rw,nosuid,nodev, \
shortname=mixed,uid=1000,utf8,umask=077,usefree 0 0
$ umount -v /media/rajkiran
umount: /media/rajkiran is not in the fstab (and you are not root)
>
> This "root@haggis:/etc# rgrep floppy *" led me to
> /etc/udev/permissions.rules which has these 2 lines in them:
> # all block devices on these buses are "removable"
> SUBSYSTEM=="block", SUBSYSTEMS=="usb|ieee1394|mmc|pcmcia", \
> GROUP="floppy"
Same on my sid machine at home
>
> So, I'd look to see what the Ubuntu version of that file says.
>
Here are the relevant lines from the ubuntu version
# Block devices
SUBSYSTEM!="block", GOTO="block_end"
ATTRS{removable}!="1", GROUP="disk"
ATTRS{removable}=="1", GROUP="floppy"
SUBSYSTEMS=="usb", GROUP="plugdev"
SUBSYSTEMS=="ieee1394", GROUP="plugdev"
SUBSYSTEMS=="mmc", GROUP="plugdev"
SUBSYSTEMS=="pcmcia", GROUP="plugdev"
LABEL="block_end"
For now, I have changed the permissions of /usr/bin/gnome-mount
to 750 and owned by root:plugdev. As expected it is giving an error
when attempting to mount the drive using nautilus. But if the problem
is with hal/udev then it should be possible to bypass gnome-mount
and talk to hal directly using dbus. The people using that specific
machine are not that sophisticated (that's why ubuntu in the first place)
so I can live with this for the moment.
Regards,
Raj Kiran
Reply to: