ramblings about privileges

David Zeuthen david at fubar.dk
Sun Jan 22 19:58:12 PST 2006 

On Jan 22, 2006, at 8:51 PM, Artem Kachitchkine wrote:

>
>>  http://freedesktop.org/~david/libhal-policy.h
>
> Yes, that's simple and flexible.

Sounds good, I'll take a stab at this; should be simple for a text- 
based back-end given when depend on glib for this library...

> Thinking about this further though, I don't seem to be convinced of  
> the value of per-device granularity. In practice, it is very hard  
> to identify a piece of media uniquely *and* reliably. Identifiers  
> (such as UUID) are easily forgable, and often misused (i.e. used  
> for purposes they were not designed for). It might give people a  
> false sense of security.

Right.. yes.. and no.. For hotpluggable drives without removable  
media.. say a USB harddisk enclosure... the HAL UDI will probably (it  
should) consist of the file-system UUID and the USB device serial  
number.. for ATA volumes, the ATA disk serial number and file-system  
UUID and so forth... So sometimes it'll be pretty hard to forge  
(difficult to tamper with ATA and USB device serial numbers though  
not impossible).. Of course for removable media (e.g. CF card) it's  
easy to crack.. but I think at least some users realize that.. and if  
they don't... we leave out the option or educate them..

So.. I like it as a general feature and I expect we'll be using this  
for framework much more than just storage volumes in the future. We  
can always decide not to show the option (e.g. "Allow any user to  
mount the volume 'Dave's USB key'" in the UI on the grounds of either  
false security and/or usability.

> Distinction between fixed and removable makes sense.
> For each of these, have a whitelist and a blacklist.
>
> Distros or sysadmins can make white/blacklisting scalable across  
> enterprise through unix groups e.g.:
>
> fixedmount::12345:davidz,dilbert
> removablenomount::12346:alice,sally
>
> /etc/hal/policy.d/storage.conf needs to be set for these groups  
> only once. With this setup, while/black lists are pushed through  
> NIS or LDAP or whatever - no need to push /etc/hal/policy.d/ 
> storage.conf file to every user machine.

Right, that's sorta why I wanted groups...

     David

More information about the hal mailing list