[Utopia] [Fwd: Removable devices and fstab]

[Nathaniel McCallum <npmccallum gentoo org>]

This was suppossed to go to the list, but didn't :)

Nathaniel

--- Begin Message ---

• From: Nathaniel McCallum <npmccallum gentoo org>
• To: Kristof Vansant <de_lupus pandora be>
• Subject: Removable devices and fstab
• Date: Sun, 29 Aug 2004 17:39:25 -0400

On Sun, 2004-08-29 at 12:29 +0200, Kristof Vansant wrote:
> > These are handled through fstab, are they not? Just like any unix mount,
> > you can disable this or limit it to a specific group.
> yes and fstab-sync from hald edits fstab when a new device is pluged in.
> So there should be some security options added to fstab-sync that
> certain devices can only be mounted ro for security reasons. Maybe it is
> asked to mutch to put the ro option depending on the user group :)

This brings up a subject that I've been meaning to address for a few
weeks now.  It is time that we addressed the issue of how we should
handle removeable devices in a secure manor.

The current fstab-update situation has a few drawbacks.  The first one
is that it forces hal to run as root (which it really doesn't need to).
Secondly, it makes it difficult to specify a static mounting policy for
removeable devices (ie. users should be able to mount cdroms, but not
usb_key drives).  

The major problem is that UNIX treats removeable devices like static
devices, when in reality, they are somewhat different (though they
function the same).

The solution that my company is developing is a policy wrapper around
mount.   While it is in its infancy, the basic idea is that all static
system devices (or removable devices you want to limit access to) go in
fstab.   Removeable devices get handled by the mount wrapper.  On device
insertion, the mount wrapper is called (from gvm).  The mount wrapper
then goes through a strict set of policy checks.  Then (if the user has
access) the device is mounted by its uuid.  If the device is in fstab,
the mount wrapper drops priviledges and calls mount (mount will fail or
succeed based on the abilities of the user in fstab).  

Some advantages of this solution include:
1. Providing a consistant mounting point for devices (no matter what
their /dev name), because they are mounted by their uuid.
2. Adjustable system policy (ie. cdroms are ok, but not usb sticks.
Thiw would be done through a config file eventually, though not
currently limited)
3. Hal can run as normal user (mount wrapper is setuid, but less code
runs as root)
4. No dynamic updating of fstab 
5. Consistant way of handling removeable devices

Currently our wrapper is not hal aware, but I would like it to become
so.  If you are interested, the program will be released open source.

Cheers,
Nathaniel

--- End Message ---