access regulation for block devices with hal?

Martin Pitt martin.pitt at ubuntu.com
Fri Oct 31 14:04:20 PDT 2008 

Hi Jelle,

Jelle de Jong [2008-10-31 10:58 +0100]:
> > unity:~# ls -hal /dev/sd*
> > brw-rw---- 1 root disk  8,  0 okt 26 12:32 /dev/sda
> > brw-rw---- 1 root disk  8,  1 okt 26 12:32 /dev/sda1
> > brw-rw---- 1 root user0 8, 16 okt 26 12:32 /dev/sdb
> > brw-rw---- 1 root user0 8, 17 okt 26 12:32 /dev/sdb1
> > brw-rw---- 1 root user1 8, 32 okt 26 12:32 /dev/sdc
> > brw-rw---- 1 root user1 8, 33 okt 26 12:32 /dev/sdc1
> > 
> > So now user0 should not be able to access the device with group user1.
> > This works fine with parted, fdisk, dd etcetera. But I would like to be
> > able to let the user0 mount its device dev/sdb1.

For this kind of setup, using fstab would actually be the easiest
solution. However, you say that this isn't flexible enough, why? NB
that fstab can't only just use device names, but UUIDs and labels as
well, which are usually enough to identify a device (nothing that you
can't fake, of course).

So what are you *actually* trying to do? I don't think anyone will be
able to help you if you don't give a full description of how you want
to identify devices, what limitations you see with fstab, etc.

> > So her comes the question, how can I let user0 mounts his usb stick with
> > group user0 and how can I let user1 mounts his usb stick with group
> > user1 without user0 or user1 being able to access other devices where
> > they have group rw permission on...

There are mount options for all of those which you can put into fstab.
man mount.

> > I would like to regulate this with HAL rules, only showing devices to a
> > user that he has access to and can mount, also make sure the mount is
> > not accessible by other users.

Really, using hal FDI rules doesn't really work well any more these
days. There were some properties for that in the past, but it was
superseded by per-user settings in gconf for gnome-mount, etc.

Also, you seem to mix different things: The permissions of device
nodes (like /dev/sdc) vs. permissions of mounting, which are
*entirely* unrelated. In particular, having access to a device node
is neither required nor sufficient for being able to mount it.

For enforced device/user specific device node policies I still believe
that udev rules are straightforward, easy, and secure. For per-user
mount policies fstab is doable, and if it you want some kind of
dynamic system you need to give some examples how such a dynamic rule
should look like.

> I am willing to talk about some sort of reward/payment.

Like fixing a bug of those assigned to me? :-)

Have a good weekend,

Martin
-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)

More information about the hal mailing list