access regulation for block devices with hal?

Jelle de Jong jelledejong at powercraft.nl
Sun Nov 2 04:59:52 PST 2008 

Martin Pitt wrote:
> Hi Jelle,
> 
> Jelle de Jong [2008-10-31 10:58 +0100]:
>>> unity:~# ls -hal /dev/sd*
>>> brw-rw---- 1 root disk  8,  0 okt 26 12:32 /dev/sda
>>> brw-rw---- 1 root disk  8,  1 okt 26 12:32 /dev/sda1
>>> brw-rw---- 1 root user0 8, 16 okt 26 12:32 /dev/sdb
>>> brw-rw---- 1 root user0 8, 17 okt 26 12:32 /dev/sdb1
>>> brw-rw---- 1 root user1 8, 32 okt 26 12:32 /dev/sdc
>>> brw-rw---- 1 root user1 8, 33 okt 26 12:32 /dev/sdc1
>>>
>>> So now user0 should not be able to access the device with group user1.
>>> This works fine with parted, fdisk, dd etcetera. But I would like to be
>>> able to let the user0 mount its device dev/sdb1.
> 
> For this kind of setup, using fstab would actually be the easiest
> solution. However, you say that this isn't flexible enough, why? NB
> that fstab can't only just use device names, but UUIDs and labels as
> well, which are usually enough to identify a device (nothing that you
> can't fake, of course).
> 
> So what are you *actually* trying to do? I don't think anyone will be
> able to help you if you don't give a full description of how you want
> to identify devices, what limitations you see with fstab, etc.
> 
>>> So her comes the question, how can I let user0 mounts his usb stick with
>>> group user0 and how can I let user1 mounts his usb stick with group
>>> user1 without user0 or user1 being able to access other devices where
>>> they have group rw permission on...
> 
> There are mount options for all of those which you can put into fstab.
> man mount.
> 
>>> I would like to regulate this with HAL rules, only showing devices to a
>>> user that he has access to and can mount, also make sure the mount is
>>> not accessible by other users.
> 
> Really, using hal FDI rules doesn't really work well any more these
> days. There were some properties for that in the past, but it was
> superseded by per-user settings in gconf for gnome-mount, etc.
> 
> Also, you seem to mix different things: The permissions of device
> nodes (like /dev/sdc) vs. permissions of mounting, which are
> *entirely* unrelated. In particular, having access to a device node
> is neither required nor sufficient for being able to mount it.
> 
> For enforced device/user specific device node policies I still believe
> that udev rules are straightforward, easy, and secure. For per-user
> mount policies fstab is doable, and if it you want some kind of
> dynamic system you need to give some examples how such a dynamic rule
> should look like.
> 
>> I am willing to talk about some sort of reward/payment.
> 
> Like fixing a bug of those assigned to me? :-)
> 
> Have a good weekend,
> 
> Martin

Sorry for my late response, and thank you all for taking the time to
response to the question/problem.

So what I am actually trying to do is to create a fail prove system
where independent non related people can work on the same system without
having other users can access/read/write/mount there devices. Every user
has his own usb hub, where all kind of devices like usb fat, ntfs, ext2,
ext3 block devices, or usb audio, networking class devices can be
plugged into. So there is no control over the type of devices! I already
have udev rules in place regulating the file group and user permissions
depending on the usb hub used to plugin a device. (see the first post)

I would like a solution without gnome kde, xfce or other desktop
specific technologies. So pure gnu/linux, unix and desktop.org standard
based tools.

fstab is not flexible enhough because it can't create a system to match
options on the type of file system being used. I can create an perfect
solution of only vfat devices, but then other file systems ext2,ext3
will not work anymore... (see the attachment)

I would like to have similar behavior as currently used for vfat but
then for ext2, ext3, ext4 and maybe ntfs.

It would also be nice to be able to mount iso images... in the with the
same permission systems as the usb sticks.

I hope this clears things up a bid, and get us closer to an usable solution.

Thanks in advance for any information,

Best regards,

Jelle

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: fstab.txt
Url: http://lists.freedesktop.org/archives/hal/attachments/20081102/0906455a/attachment.txt

More information about the hal mailing list