[PATCH] set required mount privileges via fdi file

David Zeuthen david at fubar.dk
Sat Jul 22 10:36:02 PDT 2006 

On Thu, 2006-07-20 at 09:43 +0200, Ludwig Nussel wrote:
> On Wednesday 19 July 2006 18:34, Artem Kachitchkine wrote:
> > > So in
> > > order to only allow Dave to mount "Dave's usb key" you just have to
> > > create an fdi file
> > 
> > I would expect that to manipulate _privileges_ you'd want to manipulate 
> > _privilege_ files, not fdi files. I think "resources" serve the purpose 
> > you describe, i.e. to allow Dave mount "Dave's usb key" you'd add 
> > something like:
> > 
> > Allow=dave:/org/freedesktop/Hal/devices/volume_dave_s_usb_key
> 
> Where would you put that? Into the definition of
> 'hal-storage-removable-mount'? How would you be able to mount anything
> else then if you restrict it to dave and dave's usb key? You cannot
> introduce another privilege file as hal-storage-mount always asks
> for the 'hal-storage-removable-mount' privilege.

According to the spec

 http://webcvs.freedesktop.org/hal/PolicyKit/doc/spec/polkit-spec.html?revision=1.7#id2992755

then

 Allow=uid:joe uid:barry uid:dave:hal:///org/freedesktop/Hal/devices/volume_dave_s_usb_key
 Deny=

would allow joe and barry to mount removable storage and only dave to
mount a specific device. 

We can make this more complex if we want (introducing NOT operators) but
I'm not sure we want that. Another avenue is to change the way Allow and
Deny is processed so you can write

 Allow=uid:__all__ uid:dave:hal:///org/freedesktop/Hal/devices/volume_dave_s_usb_key
 Deny=uid:dave

The important thing really is to be able to map this sanely to some UI
that an admin can understand, e.g.

        +------------------------------------------------+
        | ( ) No user can mount fixed drives             |
        | ( ) Any user can mount fixed drives            |
        | (*) Restrict mounting of fixed drives to       |
        |      the following users and groups:           |
        |      +-------------------------------+         |
        |      | U davidz                     ^|         |
        |      | U dilbert                    ||         |
        |      | G admins                     ||         |
        |      | G releng                     V|         |
        |      +-------------------------------+         |
        |       [Delete] [Add Group] [Add User]          |
        |                                                |
        | ( ) No one can mount removable drives          |
        | ( ) Any user can mount removable drives        |
        | (*) Restrict mounting of removable drives to   |
        |      the following users and groups:           |
        |      +-------------------------------+         |
        |      | U jane                       ^|         |
        |      | U john                       ||         |
        |      | G admins                     ||         |
        |      | G secretaries                V|         |
        |      +-------------------------------+         |
        |       [Delete] [Add Group] [Add User]          |
        |                                                |
        |                                        [Close] |
        +------------------------------------------------+

Once you have an idea of UI and the user experience an admin wants, it's
a lot easier to start talking about data formats. I don't pretend the
current Allow, Deny clauses and their semantics are 100% right -
suggestions welcome.

Oh, and as mentioned elsewhere I think the current implementation of
PolicyKit will just ignore the resource thing though the API will still
expose it. That is because I'm not sure anyone needs a user experience
right now that is per-device. I could be wrong though, and if I am, we
can change the formats without changing the API.

Cheers,
David

More information about the hal mailing list