[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [OT] Problem restricting user privileges in ubuntu 7.10

On Fri, Mar 14, 2008 at 8:40 AM, Ron Johnson <ron.l.johnson@cox.net> wrote:
>  > I am fairly certain that it is hal that is doing the automount (nautilus
>  > calls gnome-mount which in turns calls hal) The device gets mounted with
>  > the permissions 700 and owned by the unprivileged user. However, the
>  > permissions of the mount are not the issue. The fact that the device is
>  > getting mounted inspite of the user not belonging to the plugdev group is.
>  >
>  > As a hack, I can try changing the ownership and permissions of
>  > gnome-mount to root:plugdev, 750. Shall try that when I get to office.
>
>  I don't think that's going to work.
>
>  When I (running Sid) insert a thumb drive, this is what the device
>  looks like:
>     $ dir /dev/sdc1
>     brw-rw---- 1 root floppy 8, 33 2008-03-13 21:53 /dev/sdc1
>  and this is what the relevant mtab entry looks like:
>     $ cat /etc/mtab | grep sdc1
>     /dev/sdc1 /media/disk vfat \
>            rw,nosuid,nodev,uhelper=hal,shortname=lower,uid=1000 0 0
>
>  It really appears to me that in this case that Ubuntu is too
>  different from Debian.
>
>  BTW, this is what happens when I try to unmount a thumb drive that
>  was mounted at boot:
>
>  $ umount -v /media/disk
>  /sbin/umount.hal: Unmounting /media/disk failed:
>  org.freedesktop.Hal.Device.PermissionDeniedByPolicy:
>  org.freedesktop.hal.storage.unmount-others no <-- (privilege, result)
>

$ ls -l /dev/sdc1
brw-rw---- 1 root plugdev 8, 33 2008-03-14 09:28 /dev/sdc1

$ grep sdc1 /etc/mtab
/dev/sdc1 /media/rajkiran vfat rw,nosuid,nodev, \
     shortname=mixed,uid=1000,utf8,umask=077,usefree 0 0

$ umount -v /media/rajkiran
umount: /media/rajkiran is not in the fstab (and you are not root)

>
>  This "root@haggis:/etc# rgrep floppy *" led me to
>  /etc/udev/permissions.rules which has these 2 lines in them:
>  # all block devices on these buses are "removable"
>  SUBSYSTEM=="block", SUBSYSTEMS=="usb|ieee1394|mmc|pcmcia", \
>                                                  GROUP="floppy"

Same on my sid machine at home

>
>  So, I'd look to see what the Ubuntu version of that file says.
>

Here are the relevant lines from the ubuntu version
# Block devices
SUBSYSTEM!="block", GOTO="block_end"
ATTRS{removable}!="1",			GROUP="disk"
ATTRS{removable}=="1",			GROUP="floppy"
SUBSYSTEMS=="usb",			GROUP="plugdev"
SUBSYSTEMS=="ieee1394",			GROUP="plugdev"
SUBSYSTEMS=="mmc",			GROUP="plugdev"
SUBSYSTEMS=="pcmcia",			GROUP="plugdev"
LABEL="block_end"

For now, I have changed the permissions of /usr/bin/gnome-mount
to 750 and owned by root:plugdev. As expected it is giving an error
when attempting to mount the drive using nautilus. But if the problem
is with hal/udev then it should be possible to bypass gnome-mount
and talk to hal directly using dbus. The people using that specific
machine are not that sophisticated (that's why ubuntu in the first place)
so I can live with this for the moment.

Regards,
Raj Kiran
Reply to: