Re: [OT] Problem restricting user privileges in ubuntu 7.10
On Fri, Mar 14, 2008 at 11:45:44 +0530, Raj Kiran Grandhi wrote:
[...]
> > > I am fairly certain that it is hal that is doing the automount (nautilus
> > > calls gnome-mount which in turns calls hal) The device gets mounted with
> > > the permissions 700 and owned by the unprivileged user. However, the
> > > permissions of the mount are not the issue. The fact that the device is
> > > getting mounted inspite of the user not belonging to the plugdev group is.
> > >
> > > As a hack, I can try changing the ownership and permissions of
> > > gnome-mount to root:plugdev, 750. Shall try that when I get to office.
[...]
> For now, I have changed the permissions of /usr/bin/gnome-mount
> to 750 and owned by root:plugdev. As expected it is giving an error
> when attempting to mount the drive using nautilus. But if the problem
> is with hal/udev then it should be possible to bypass gnome-mount
> and talk to hal directly using dbus. The people using that specific
> machine are not that sophisticated (that's why ubuntu in the first place)
> so I can live with this for the moment.
HAL and dbus have built-in access control:
file:///usr/share/doc/hal-doc/spec/hal-spec.html#access-control
file:///usr/share/doc/hal-doc/spec/hal-spec.html#device-properties-access-control
apt-cache show policykit
I have never had a reason to experiment with this myself, therefore I
cannot comment on it any further.
Approaching the problem from the Gnome side, maybe pessulus or sabayon
can provide an additional layer of security. (Their package descriptions
do not explicitly mention lock-down of pluggable devices, though.)
--
Regards, | http://users.icfo.es/Florian.Kulzer
Florian |
Reply to: