access regulation for block devices with hal?

Jelle de Jong jelledejong at powercraft.nl
Wed Nov 5 11:30:34 PST 2008


Jelle de Jong wrote:
> Martin Pitt wrote:
>> Hi Jelle,
>>
>> Jelle de Jong [2008-10-31 10:58 +0100]:
>>>> unity:~# ls -hal /dev/sd*
>>>> brw-rw---- 1 root disk  8,  0 okt 26 12:32 /dev/sda
>>>> brw-rw---- 1 root disk  8,  1 okt 26 12:32 /dev/sda1
>>>> brw-rw---- 1 root user0 8, 16 okt 26 12:32 /dev/sdb
>>>> brw-rw---- 1 root user0 8, 17 okt 26 12:32 /dev/sdb1
>>>> brw-rw---- 1 root user1 8, 32 okt 26 12:32 /dev/sdc
>>>> brw-rw---- 1 root user1 8, 33 okt 26 12:32 /dev/sdc1
>>>>
>>>> So now user0 should not be able to access the device with group user1.
>>>> This works fine with parted, fdisk, dd etcetera. But I would like to be
>>>> able to let the user0 mount its device dev/sdb1.
>> For this kind of setup, using fstab would actually be the easiest
>> solution. However, you say that this isn't flexible enough, why? NB
>> that fstab can't only just use device names, but UUIDs and labels as
>> well, which are usually enough to identify a device (nothing that you
>> can't fake, of course).
>>
>> So what are you *actually* trying to do? I don't think anyone will be
>> able to help you if you don't give a full description of how you want
>> to identify devices, what limitations you see with fstab, etc.
>>
>>>> So her comes the question, how can I let user0 mounts his usb stick with
>>>> group user0 and how can I let user1 mounts his usb stick with group
>>>> user1 without user0 or user1 being able to access other devices where
>>>> they have group rw permission on...
>> There are mount options for all of those which you can put into fstab.
>> man mount.
>>
>>>> I would like to regulate this with HAL rules, only showing devices to a
>>>> user that he has access to and can mount, also make sure the mount is
>>>> not accessible by other users.
>> Really, using hal FDI rules doesn't really work well any more these
>> days. There were some properties for that in the past, but it was
>> superseded by per-user settings in gconf for gnome-mount, etc.
>>
>> Also, you seem to mix different things: The permissions of device
>> nodes (like /dev/sdc) vs. permissions of mounting, which are
>> *entirely* unrelated. In particular, having access to a device node
>> is neither required nor sufficient for being able to mount it.
>>
>> For enforced device/user specific device node policies I still believe
>> that udev rules are straightforward, easy, and secure. For per-user
>> mount policies fstab is doable, and if it you want some kind of
>> dynamic system you need to give some examples how such a dynamic rule
>> should look like.
>>
>>> I am willing to talk about some sort of reward/payment.
>> Like fixing a bug of those assigned to me? :-)
>>
>> Have a good weekend,
>>
>> Martin
> 
> Sorry for my late response, and thank you all for taking the time to
> response to the question/problem.
> 
> So what I am actually trying to do is to create a fail prove system
> where independent non related people can work on the same system without
> having other users can access/read/write/mount there devices. Every user
> has his own usb hub, where all kind of devices like usb fat, ntfs, ext2,
> ext3 block devices, or usb audio, networking class devices can be
> plugged into. So there is no control over the type of devices! I already
> have udev rules in place regulating the file group and user permissions
> depending on the usb hub used to plugin a device. (see the first post)
> 
> I would like a solution without gnome kde, xfce or other desktop
> specific technologies. So pure gnu/linux, unix and desktop.org standard
> based tools.
> 
> fstab is not flexible enhough because it can't create a system to match
> options on the type of file system being used. I can create an perfect
> solution of only vfat devices, but then other file systems ext2,ext3
> will not work anymore... (see the attachment)
> 
> I would like to have similar behavior as currently used for vfat but
> then for ext2, ext3, ext4 and maybe ntfs.
> 
> It would also be nice to be able to mount iso images... in the with the
> same permission systems as the usb sticks.
> 
> I hope this clears things up a bid, and get us closer to an usable solution.
> 
> Thanks in advance for any information,
> 
> Best regards,
> 
> Jelle

Any ideas? I am willing to donate some Dutch stroopwafels for a good
solution..

Best regards,

Jelle


More information about the hal mailing list