Hendrik Boom writes:
> On Thu, Jul 30, 2015 at 10:28:30AM +0100, Rainer Weikusat wrote:
[sudo/ PATH]
>> Also, the Debian default configuration
>> contains a
>>
>> Defaults
>> secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
>>
>> which means the user PATH won'
On Sat, 1 Aug 2015 05:13:46 -0400
Renaud (Ron) OLGIATI wrote:
> If I wanted my users to use sudo, I would install them *ubuntu...
:-)
Wait a minute. You can't do that.
* If I wanted my children to breath, I'd give them oxygen tanks.
* If I wanted to spend my money, I'd buy a Testerosa.
:-)
On Thu, 30 Jul 2015 18:59:31 +0200
tilt! wrote:
> Hi Jaromil!
>
> Jaromil wrote on 29/07/2015 at 19:44 CEST:
> > [...]
> > how I do it now? hardcode every single binary
> > that sudo is aloud to execute, full path
> > and locations that are only root writable.
> > that's a sudoers feature...
>
On Thu, 30 Jul 2015 09:18:16 -0400 (EDT)
Rob Owens wrote:
> Another reason not to give users wholesale access to the mount
> command is that they could then 'mount -o remount,rw' any filesystem
> that the administrator has mounted read-only. To protect against
> this, I think you probably need s
Le 30/07/2015 11:28, Rainer Weikusat a écrit :
Didier Kryn writes:
Le 29/07/2015 16:35, a...@gulbrandsen.priv.no a écrit :
Every last problem of sudo is taken seriously? Did you know that if
someone has limited access, e.g. the right to install standard
packages, then it is easy to leverage th
Le 01/08/2015 17:49, Isaac Dunham a écrit :
Alternately, you could write a wrapper that*always* mounts under
/media, and doesn't accept -t; it just takes a device name, creates an
equivalent name under /media, checks type and whether ntfs-3g is installed,
and passes a suitable type to mount (or
On Fri, Jul 31, 2015 at 10:47:29AM +0100, Rainer Weikusat wrote:
>
> A daemon process should only exist because it provides some important
> functionality with a real benefit for users of the system which cannot
> (reasonably) be provided in some other way, eg, by starting a program to
> perform a
On Fri, Jul 31, 2015 at 07:12:05AM -0400, Steve Litt wrote:
> Someone mentioned that we have too many daemons and this shouldn't be
> one. If you want the thing to be *auto*mount instead of just "mount
> when I tell you to, or "search for possible mounts and tell me about
> them", it has to be a ba
Laurent Bercot writes:
> On 31/07/2015 11:47, Rainer Weikusat wrote:
>>
>> [example of a completely useless daemon process]
>>
>> But that's not a good reason for it being installed and running: A
>> daemon process should only exist because it provides some important
>> functionality with a real b
On Sat, Aug 01, 2015 at 08:49:55AM -0700, Isaac Dunham wrote:
> On Thu, Jul 30, 2015 at 10:39:22PM +0200, Didier Kryn wrote:
> > Isaac, your comment suggests me two questions:
> > One: is it really possible to mount a Fuse filesystem with 'mount' ? I
> > thought it could only be done with '
On Thu, Jul 30, 2015 at 10:28:30AM +0100, Rainer Weikusat wrote:
> Didier Kryn writes:
> > Le 29/07/2015 16:35, a...@gulbrandsen.priv.no a écrit :
> >> Every last problem of sudo is taken seriously? Did you know that if
> >> someone has limited access, e.g. the right to install standard
> >> packa
On Thu, Jul 30, 2015 at 10:39:22PM +0200, Didier Kryn wrote:
> Le 30/07/2015 01:09, Isaac Dunham a écrit :
> >I'm not sure where in the discussion this fits, but I thought I'd mention
> >it here:
> >Permitting all mount invocations via sudo does have a potential security
> >hole if your mount imple
IMHO automount for desktop is a helper for a user running some X
session. Usually that means that a single person is using this system.
So make him a helper which can do automount/autorun etc which helps
him on a daily basis. Helps him not the admin of the system. A simple
one which is a helper, n
If I wanted my users to use sudo, I would install them *ubuntu...
Cheers,
Ron.
--
Schroedinger thought inside the box.
-- http://www.olgiati-in-paraguay.org --
___
Dng ma
On 31/07/2015 11:47, Rainer Weikusat wrote:
But that's not a good reason for it being installed and running: A
daemon process should only exist because it provides some important
functionality with a real benefit for users of the system which cannot
(reasonably) be provided in some other way
N
Le 30/07/2015 01:30, Laurent Bercot a écrit :
I think most people wouldn't mind a pandemonium on their machine IF
they knew exactly what daemon is doing what, how many resources a
daemon consumes, and how to disable the ones they don't need.
Yes, it is mostly a question of book-keeping, a
If I was about to make a friendly for me Desktop, I would provide a
system service/library/daemon/whatever, where every application while
installing on the system could register (during installation) a set of
commands to be executed later with root privileges. And later ask for
execution of those
On Wed, 29 Jul 2015 19:44:44 +0200
Jaromil wrote:
> I mean: what would you suggest using for the
> "check a FIFO" bit you mention?
> pcre? perhaps very clean simple code?
> most code out there has too many features
> and is too ambitions to fulfill such a simple task
The first word is parsed to
Le 30/07/2015 01:09, Isaac Dunham a écrit :
On Thu, Jul 30, 2015 at 12:40:33AM +0200, Didier Kryn wrote:
I don't understand the preventions against sudo. It is just up to the
administrator to take care, like for everything.
Wether execution of the command is allowed by sudo, by a setu
Didier Kryn writes:
> Le 29/07/2015 16:35, a...@gulbrandsen.priv.no a écrit :
>> Every last problem of sudo is taken seriously? Did you know that if
>> someone has limited access, e.g. the right to install standard
>> packages, then it is easy to leverage that to get complete
>> access. Various pa
Hi Jaromil!
Jaromil wrote on 29/07/2015 at 19:44 CEST:
[...]
how I do it now? hardcode every single binary
that sudo is aloud to execute, full path
and locations that are only root writable.
that's a sudoers feature...
This is how I personally see it: In an ideal environment,
there were *no* t
Laurent Bercot writes:
[...]
>> I think I speak for most people here when I say we dislike
>> the quantity of undocumented daemons running
>> on on gnu/Linux desktop nowadays and
>> I hope we can trim that down with Devuan
>
> The real sticking point in what you just wrote is "undocumented".
>
- Original Message -
> From: "Isaac Dunham"
> I'm not sure where in the discussion this fits, but I thought I'd mention
> it here:
> Permitting all mount invocations via sudo does have a potential security
> hole if your mount implementation supports FUSE, as you can run an arbitrary
> com
On 29/07/2015 19:44, Jaromil wrote:
IMHO the bigger barrier to this is not having
a string parsing code (or basic grammar)
that is security oriented, I mean hardened
to run as root and handle corner cases
The tool I linked does no parsing at all. The user gives the end
of the command line she
On Thu, Jul 30, 2015 at 12:40:33AM +0200, Didier Kryn wrote:
> I don't understand the preventions against sudo. It is just up to the
> administrator to take care, like for everything.
>
> Wether execution of the command is allowed by sudo, by a setuid bit or
> by policykit does not change
Le 29/07/2015 16:35, a...@gulbrandsen.priv.no a écrit :
Every last problem of sudo is taken seriously? Did you know that if
someone has limited access, e.g. the right to install standard
packages, then it is easy to leverage that to get complete access.
Various packages run programs in $PATH as
On July 29, 2015 7:17:23 PM GMT+02:00, Steve Litt
wrote:
>On Wed, 29 Jul 2015 17:07:32 +0200
>tilt! wrote:
>
>
>> I am certain there is a way of solving this "automounting
>> problem" (if I may call it that) cleanly, without the use
>> of either of them. :-)
>
>Yes, a daemon running as root c
> > I am certain there is a way of solving this "automounting
> > problem" (if I may call it that) cleanly, without the use
> > of either of them. :-)
>
> Yes, a daemon running as root could do it. And if the daemon does
> nothing but observe inotify and dmesg, perhaps check a fifo for devices
> t
On Wed, 29 Jul 2015 18:41:36 +0200
Laurent Bercot wrote:
> I know the advantages of the daemon approach, I use it myself and
> advocate it any chance I get. Unfortunately, I have found that many
> users are reluctant to add yet another daemon to their systems, no
> matter how few resources it t
On Wed, 29 Jul 2015 11:04:22 -0400 (EDT)
Rob Owens wrote:
> Spacefm has the ability to use several different methods to
> mount removable media. If you install either pmount or udevil,
> it can use them. By default, I believe it automatically
> chooses which method it wants to use, based on wha
On Wed, 29 Jul 2015 17:07:32 +0200
tilt! wrote:
> I am certain there is a way of solving this "automounting
> problem" (if I may call it that) cleanly, without the use
> of either of them. :-)
Yes, a daemon running as root could do it. And if the daemon does
nothing but observe inotify and dme
On 29/07/2015 18:03, tilt! wrote:
My estimate is that such daemon was not resource hungry:
Actually, I'm talking about a daemon consuming entirely negligible
resources, performing no polling at all, only reacting to an
external command performed either manually or via the hotplug helper.
I k
Hi,
Laurent Bercot wrote on 29/07/2015 at 17:34 CEST:
> On 29/07/2015 17:07, tilt! wrote:
>
>> I am certain there is a way of solving this "automounting
>> problem" (if I may call it that) cleanly, without the use
>> of either of them. :-)
>
> There is a way to solve (almost) every suid issue
>
Arnt Gulbrandsen writes:
> Steve Litt writes:
>> I repeat my question: Do you have first hand knowledge indicating that
>> polkit is any safer?
>
> No, I do not. But unlike sudo, I am not aware of any weaknesses in its
> core design either.
You wrote that sudo would keep the PATH environment vari
On 29/07/2015 16:02, kpb wrote:
That is a really interesting way of looing at things, thanks for the mental
prompt.
It's an elementary design principle: separate the engine from the interface.
I very much hope people who design GUIs keep it in mind.
How would you deal with providing notifi
On 29/07/2015 17:07, tilt! wrote:
I am certain there is a way of solving this "automounting
problem" (if I may call it that) cleanly, without the use
of either of them. :-)
There is a way to solve (almost) every suid issue cleanly, but
it requires running a small additional daemon for every c
Steve Litt writes:
I repeat my question: Do you have first hand knowledge indicating that
polkit is any safer?
No, I do not. But unlike sudo, I am not aware of any weaknesses in its core
design either.
Arnt
___
Dng mailing list
Dng@lists.dyne.org
h
Hi Steve,
Steve Litt wrote on 29/07/2015 at 15:35 CEST:
On Wed, 29 Jul 2015 10:21:37 +0200
Steve Litt wrote on 29/07/2015 at 06:25 CEST:
[...]
Meanwhile, as far as I can see, their entanglement with
polkit does nothing more than my idea about sudo.
Does anyone see any reason why polkit should
- Original Message -
> From: "kpb"
> Rob Owens wrote:
>>
>> Before I stopped using Jessie, I had USB mounting working
>> with the spacefm file manager and either udevil or pmount to
>> handle the removable devices. Let me know if anybody wants
>> instruction on that.
>>
>> -Rob
>
> He
On Wed, 29 Jul 2015 16:35:56 +0200
a...@gulbrandsen.priv.no wrote:
> Every last problem of sudo is taken seriously? Did you know that if
> someone has limited access, e.g. the right to install standard
> packages, then it is easy to leverage that to get complete access.
> Various packages run p
Every last problem of sudo is taken seriously? Did you know that if
someone has limited access, e.g. the right to install standard
packages, then it is easy to leverage that to get complete access.
Various packages run programs in $PATH as root, Firefox comes to mind,
so just prepare $PATH and
On Wed, 29 Jul 2015 09:46:18 -0400
Steve Litt wrote:
> Just speaking for myself, I'd feel better if, to the extent possible,
> every GUI action is mapped through commands capable of being run on the
> command line.
>
> SteveT
That is a really interesting way of looing at things, thanks for the
On Wed, 29 Jul 2015 08:18:33 +0100
kpb wrote:
> and being able to add *GUI initiated* mount/unmount (say by clicking
> on a volume name in the file manager) would be a real advance over
> pmount in a terminal window.
The preceding is a matter of opinion and dependent on one's philosophy.
I'd sa
On Wed, 29 Jul 2015 10:21:37 +0200
tilt! wrote:
> Hi,
>
> Steve Litt wrote on 29/07/2015 at 06:25 CEST:
> > [...]
> > Meanwhile, as far as I can see, their entanglement with
> > polkit does nothing more than my idea about sudo.
> > Does anyone see any reason why polkit should be assumed
> > m
Le 29/07/2015 14:15, Hendrik Boom a écrit :
On Wed, Jul 29, 2015 at 10:08:56AM +0200, Didier Kryn wrote:
Le 28/07/2015 21:17, Hendrik Boom a écrit :
Once, an icon for the device would appear on my screen that I
could click to mount.
This feature is working very well with xfce4 on Debian W
On Wed, Jul 29, 2015 at 10:08:56AM +0200, Didier Kryn wrote:
> Le 28/07/2015 21:17, Hendrik Boom a écrit :
> >Once, an icon for the device would appear on my screen that I
> >could click to mount.
> This feature is working very well with xfce4 on Debian Wheezy.
> If the partitions on the USB di
Hi,
Steve Litt wrote on 29/07/2015 at 06:25 CEST:
[...]
Meanwhile, as far as I can see, their entanglement with
> polkit does nothing more than my idea about sudo.
> Does anyone see any reason why polkit should be assumed
> more secure than sudo?
I don't know about polkit, but sudoers(5) is a
Le 28/07/2015 21:17, Hendrik Boom a écrit :
Once, an icon for the device would appear on my screen that I
could click to mount.
This feature is working very well with xfce4 on Debian Wheezy. If
the partitions on the USB disk are labelled, they get mountpoints by the
label, on /media. This i
On Tue, 28 Jul 2015 16:26:22 -0400 (EDT)
Rob Owens wrote:
>
> Before I stopped using Jessie, I had USB mounting working
> with the spacefm file manager and either udevil or pmount to
> handle the removable devices. Let me know if anybody wants
> instruction on that.
>
> -Rob
Hello Rob
I'd
eed for polkit and dbus
integration.
-Jude
--
> From: Hendrik Boom
> Sent: 7/28/2015 7:45 PM
> To: dng@lists.dyne.org
> Subject: Re: [DNG] automount, mount, and USB sticks
>
> On Tue, Jul 28, 2015 at 01:08:26PM -0700, Gregory Nowak wrote:
>
On Tue, 28 Jul 2015 20:09:06 -0700
James Powell wrote:
>
> From: Hendrik Boom<mailto:hend...@topoi.pooq.com>
> Sent: 7/28/2015 7:45 PM
> To: dng@lists.dyne.org<mailto:dng@lists.dyne.org>
> Subject: Re: [DNG] automount, mount, and USB
level of control for
admins, I don't have a problem with it.
Thoughts?
From: Hendrik Boom<mailto:hend...@topoi.pooq.com>
Sent: 7/28/2015 7:45 PM
To: dng@lists.dyne.org<mailto:dng@lists.dyne.org>
Subject: Re: [DNG] automount, mount, and USB stick
On Tue, Jul 28, 2015 at 01:08:26PM -0700, Gregory Nowak wrote:
> On Tue, Jul 28, 2015 at 03:17:11PM -0400, Hendrik Boom wrote:
> > Of course I have to guess whether the device has
> > been plugged in as /dev/sdb, or /dev/sde, or whatever. In case of
> > (frequent) doubt, I switch to a root conso
- Original Message -
> From: "Hendrik Boom"
> Over the years the state of mounting USB drives has steadily
> deteriorated on my Debian Jessie laptop.
>
As far as I can tell, that was caused by the introduction of
systemd as a requirement for mounting removable media (at least
the "stand
On Tue, Jul 28, 2015 at 03:17:11PM -0400, Hendrik Boom wrote:
> Of course I have to guess whether the device has
> been plugged in as /dev/sdb, or /dev/sde, or whatever. In case of
> (frequent) doubt, I switch to a root console with control-alt-F1 and a
> login, unplug the device, and plug it i
On Tue, Jul 28, 2015 at 09:29:09AM +0100, kpb wrote:
> On Tue, 28 Jul 2015 00:09:45 -0400
> Steve Litt wrote:
>
> > Cheer up Svante. This isn't for your corporation's web servers, it's
> > for the guy with a desktop, the system's only user, a guy who already
> > has root but just doesn't want to
56 matches
Mail list logo
