Re: EUREKA!!!! - was [Re: Permissions for an entire PARTITION]
On Sat 29 Oct 2016 at 23:23:52 +0300, Reco wrote:
> On Sat, 29 Oct 2016 19:15:53 +0100
> Brian <ad44@cityscape.co.uk> wrote:
>
> > I wish you had addressed the "equal exposure" question. Desktops are not
> > the only environments in town. Leaving non-policykit users out in the
> > cold is not an option.
>
> True, that does not look good at all. But why bother listing udisks2
> which is using PolicyKit then?
In the light of previous points I think there is a non-sequiteur in
there somwhere.
> Besides, in modern Debian it takes a certain amount of skill and
> determination *not* to use PolicyKit ;)
Maybe. Nothing to do with whether policykit is on a machine or not, of
course.
> > It doesn't come down to that; using a desktop filemanager is just one of
> > the alternatives. One could equally well ask why it is has to mentioned
> > when there is
> >
> > > Install pmount, udevil or udisks2 and use one .....
>
> Indeed. All this confusion could be avoided by simple 'please mount the
> USB stick to this mountpoint'. Again, the page describes rather
> advanced topic.
As said, a rewrite is in the offing. The reality is that all operations
should be with root privileges.
> > Providing a range of advice for a range of people isn't exactly easy in
> > all situations. Advice on installing a wifi kernel module is easy -
> > there is only one for each chipset.
>
> I honestly wish that this was true. Sadly, there's Broadcom, see [1]
> for the gory details.
There are always exceptions.
> > A page on pmount is a little harder because it is a moving target.
>
> I honestly lost you here. oldstable, stable, testing and even sid have
> the same upstream version of pmount - 0.9.23, dated 2010.
They do indeed. Six years. Do you get the feeling it is getting on for
unmaintained. (And a wiki page with HAL on it! I ask you). But software
changes. Then wiki pages change.
> > (The link you gave has out-of-date info on HAL). Anything more
> > complex can always be criticised as time moves on.
>
> The page itself is somewhat outdated, true. Someone should cleanup that
> obsolete hal reference.
Don't look at me.
> > But your sort of constructive criticism is valuable.
>
> You're welcome, I guess.
>
> > You are getting carried away here. Both are for *automatically* mounting
> > and unmounting removable media, which is not a focus for the task.
> >
> > There is no sign of supermount in stable or unstable.
>
> True. That's something that I missed.
We all miss something.
> > As little as possible should be done as root is a good principle.
>
> mount(2) system call is a privileged one regardless of the tool used.
> Hence a root intervention in one form or the other is needed.
>
> Whenever such privilege escalation is done by trusted daemon (udisks2),
> or by hand (su, sudo) for the purposes of mounting and unmounting is not
> relevant. Assuming, for the sake of simplicity, that all implementations
> of privilege escalation (su, sudo, policykit, trusted suid binaries
> such as pmount) are free of security bugs.
>
> If it was desirable to exclude root intervention whenever possible in
> this task - the page in question would suggest fusefat instead.
Something to consider and test. Thanks.
> > C'mon; pointing out a typo! This is unworthy of you, even as an aside.
>
> Disregard the typo comment then as it was not pointed to the article
> quality. Not all mount(8) invokations require root, that was the point.
>
> > Mounting and unmounting are not really a problem. Users and root can
> > easily do these. But, as far as I can see, only someone with root
> > privileges can use dd, cfdisk, fdisk and mkfs.vfat with a removable
> > device. I'd like to be wrong.
>
> This is a common myth that I'll debunk gladly.
>
> Image copying (dd or any other tool) merely requires ability to write
> to a block device. Such permissions on removable media should be
> provided to any current console user by logind (or ConsoleKit if we
> still need to think about wheezy), or a good old-fashioned
> 'floppy' (any group name will do) group and a custom udev rule (as of
> jessie).
>
> Creating any filesystem on a removable media's partition merely requires
> the same.
Since you wrote this, hundreds of people using GNOME have popped a USB
stick into their machines and typed
dd if=/dev/zero of=/dev/<somewhere>
Those who didn't get
dd: failed to open 'dev/<somewhere>'
will be along soon to report success and explain why.
The floppy group + a udev rule is a Wheezy thing. Not suitable for a
wiki relating to a current Debian.
--
Brian.
Reply to: