g-v-m vs. pamconsole mount option

[David Zeuthen]

On Mon, 2006-01-02 at 15:09 +0300, Andrey Borzenkov wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Mandriva defaulted to pamconsole mount option since switching to HAL. Recently 
> all removables started to be not accessible to logged in user. The problem 
> seems to be interaction between g-v-m and hal. Hal adds /etc/fstab line 
> containing pamconsole option; g-v-m now calls volume Mount method with empty 
> parameter set that basically results in calling "mount /dev/node" - but on 
> behalf of root, not user that has started g-v-m, thus effectively making 
> device accessible to root only.

I've discussed this with the g-v-m and gnome-vfs maintainers and the
thinking here is that g-v-m will invoke gnome-mount, see

 http://lists.freedesktop.org/archives/hal/2005-December/004138.html

I've discussed with Kevin Otte (KDE hacker) that KDE would use a similar
scheme (albeit read settings from the KDE config system rather than
gconf)

> There seem to be more general issue - as far as I can tell, any user logged in 
> can call volume Mount or Unmount method - without any sort of authentication 
> and/or authorization performed.

Only users at the console are, or should be, privileged to invoke
Mount/Unmount - see hal.conf.in and the at_console policy  - hmm, it
seems we need to add rules for the o.f.Hal.Device.Volume interface? I
thought we had done that already. Kay?

Right now only root should be allowed? Otherwise it sounds like a
problem with how pam_console and D-BUS interacts on your distro?

> 
> Is it intentional? Is it local Mandriva problem and how do other distro avoid 
> it?

The fstab-sync program will be removed in the next release; we just need
to finish the Mount/Unmount methods, finish gnome-mount (a few days
work, I hope to find some time soon) and do a security review before we
can make a release.

Cheers,
David