Hi, On 17/06/2014 17:28, Michael Biebl wrote: > Am 17.06.2014 17:04, schrieb Yann Amar: >> >> Knowing that the default user created during installation is member of >> secondary groups 'floppy' and 'plugdev', and knowing that making this user a >> member of the 'disk' group will only lead to security issues, wouldn't be >> possible to (re)introduce specific rules to manage external/removable devices >> differently than the internal ones, and make them readable and writable by >> any >> member of 'floppy' or 'plugdev'? Or is there a plan to work around this >> issue? > > Static groups are a workaround, not very flexible and an all-or-nothing > approach.
I disagree: making all block devices owned by the same group than the system's disk is the real all-or-nothing approach, as explained just above. See also old bugs against udev ([1] and [2]). I know that setting removable devices to belong to floppy or plugdev group is an issue in some specific cases [3], but there is now a small package in Debian [4] to avoid that, by using udev to set UNIX group and udisks properties in a per device basis. Even if static groups are not very flexible, there are programs based on or using static groups to build fine grained solutions: udev, sudo, acl, policykit, between others. Saying that static groups (and UNIX permissions) are not very flexible does not mean that they are obsolete. > Use a tool like udisks if you need a more dynamic solution. I doubt that udisks has been designed and can be used as a wrapper around any arbitrary command. How to obtain a result similar to, say, 'dd if=mini.iso of=/dev/sdb' with udisks, and without typing an admin password to do that on the USB stick I just come to plug in? Is this kind of action not considered as legitime? Cheers, quidame [1] https://bugs.debian.org/402622 [2] https://bugs.debian.org/402649 [3] https://bugs.debian.org/645466 [4] https://packages.debian.org/search?searchon=sourcenames&keywords=bilibop
signature.asc
Description: OpenPGP digital signature
