Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   ArchLinux Development (http://www.linux-archive.org/archlinux-development/)
-   -   the storage group (http://www.linux-archive.org/archlinux-development/568732-storage-group.html)

Tom Gundersen 08-26-2011 10:07 PM

the storage group
 
Hi guys,

I'm refactoring our support for the "storage" group, due to a recent
bug report about it being incomplete:
<https://bugs.archlinux.org/task/22337>. I thought I'd ask for some
input.

A few words about the usage of the storage group:

For most people the storage group is not needed any more, if all you
want is to mount your device and access the files on it. However, if
you want to use fdisk or any tools accessing the device node directly
you need to have the correct permissions. The main use is therefore to
allow people to use fdisk and dd with their usb sticks.

Our current rules are quite low-level, and hence it's a bit difficult
to tell if they are correct and complete [1]. I suggest that we adopt
the following informal policy:
"All block devices that are removable, or belong to the usb, firewire,
mmc or pcmcia subsystem, and that do not belong to any other group,
are assigned to the storage group."

My suggestion is based on the Debian rules that were pointed out to me by Seblu:

20-arch-storage.rules:
SUBSYSTEM=="block", ATTRS{removable}=="1", GROUP="storage"
SUBSYSTEM=="block", SUBSYSTEMS=="usb|ieee1394|mmc|pcmcia", GROUP="storage"

The only difference between my proposal and Debian's rules is that I
want to put these with a very low priority (20) instead of a very high
(91), the reason is that other rules should be able to override them
(e.g. a cdrom should end up in the "optical" group). [they also have
support for cbm devices, but unless someone tells me they are relevant
I'll skip them.]

Any comments highly appreciated.

Cheers,

Tom


[1] current rules:

# permissions for removable devices like cardreaders or sticks
KERNEL=="sd*", ATTRS{scsi_level}=="3", ATTRS{type}=="0", GROUP="storage"

# permissions for firewire external drives
KERNEL=="sd*", ATTRS{scsi_level}=="5", GROUP="storage"

# permissions for usb to scsi external adapters
KERNEL=="sd*", ATTRS{scsi_level}=="3", ATTRS{type}=="7", GROUP="storage"

# permissions for ide storage like pcmcia card readers
ACTION!="add", GOTO="pcmcia_end"
SUBSYSTEM!="block", GOTO="pcmcia_end"
KERNEL=="hd*[!0-9]", IMPORT{program}="ata_id --export $tempnode"
KERNEL=="hd*", IMPORT{parent}=="ID_*"
KERNEL=="hd*", ENV{ID_TYPE}=="generic", GROUP="storage"
LABEL="pcmcia_end"

Tom Gundersen 08-27-2011 10:43 PM

the storage group
 
On Sat, Aug 27, 2011 at 12:07 AM, Tom Gundersen <teg@jklm.no> wrote:
> I'm refactoring our support for the "storage" group, due to a recent
> bug report about it being incomplete:
> <https://bugs.archlinux.org/task/22337>. I thought I'd ask for some
> input.

I did a bit more digging and asking around, and it seems that my
previous suggestion, basically to make "storage" work correctly with
more devices, is not a good one.

I tried pushing the fix into udev upstream, but Kay argued against it,
and even the Debian maintainer agreed that this should probably not go
upstream.

Their reasoning (which I guess I agree with) is that giving users
access to usb sticks (among other things) causes security probems (the
user logged in over ssh can access the usb stick of the logged in
user).

Furthermore, (and this I did not know) in addition to taking care of
mounting, udisks has support for most of what fdisk does, so there
goes the main argument in favor of giving user access to these
devices.

To make a long story short; in stead of fixing the "storage" group, I
intend to remove support for it from udev, and direct people to use
udisks instead. If anyone have any objections, pleas let me know.

Cheers,

Tom

Gaetan Bisson 08-27-2011 11:38 PM

the storage group
 
[2011-08-28 00:43:29 +0200] Tom Gundersen:
> To make a long story short; in stead of fixing the "storage" group, I
> intend to remove support for it from udev, and direct people to use
> udisks instead. If anyone have any objections, pleas let me know.

That sounds very good to me.

--
Gaetan

Myra Nelson 08-28-2011 12:15 AM

the storage group
 
On Sat, Aug 27, 2011 at 17:43, Tom Gundersen <teg@jklm.no> wrote:
> On Sat, Aug 27, 2011 at 12:07 AM, Tom Gundersen <teg@jklm.no> wrote:
>> I'm refactoring our support for the "storage" group, due to a recent
>> bug report about it being incomplete:
>> <https://bugs.archlinux.org/task/22337>. I thought I'd ask for some
>> input.
>
> I did a bit more digging and asking around, and it seems that my
> previous suggestion, basically to make "storage" work correctly with
> more devices, is not a good one.
>
> I tried pushing the fix into udev upstream, but Kay argued against it,
> and even the Debian maintainer agreed that this should probably not go
> upstream.
>
> Their reasoning (which I guess I agree with) is that giving users
> access to usb sticks (among other things) causes security probems (the
> user logged in over ssh can access the usb stick of the logged in
> user).
>
> Furthermore, (and this I did not know) in addition to taking care of
> mounting, udisks has support for most of what fdisk does, so there
> goes the main argument in favor of giving user access to these
> devices.
>
> To make a long story short; in stead of fixing the "storage" group, I
> intend to remove support for it from udev, and direct people to use
> udisks instead. If anyone have any objections, pleas let me know.
>
> Cheers,
>
> Tom
>

Pardon the interruption but from a former MS user and basically an end
user I thought I would chime in. Auto mounting is evil and the autorun
feature associated with it is worse. I think removing it from udev is
an excellent idea and I laud your suggestion. It will definitely
improve security and, IMHO, make things easier to setup. One only has
to learn one method, preferably the "correct" method, to do something.
I use the word correct because their are at least 3 right ways to do
things. Your way, my way, and the next person's way. None of which may
be the correct way.

Myra

--
Life's fun when your sick and psychotic!

Jan Steffens 08-28-2011 01:47 AM

the storage group
 
On Sun, Aug 28, 2011 at 12:43 AM, Tom Gundersen <teg@jklm.no> wrote:
> To make a long story short; in stead of fixing the "storage" group, I
> intend to remove support for it from udev, and direct people to use
> udisks instead.

Or, if they don't want udisks, then su root. Given how much damage you
can do with write access to block devices, this seems like a good
idea.

Dieter Plaetinck 08-28-2011 10:03 AM

the storage group
 
On Sun, 28 Aug 2011 00:43:29 +0200
Tom Gundersen <teg@jklm.no> wrote:

> Their reasoning (which I guess I agree with) is that giving users
> access to usb sticks (among other things) causes security probems (the
> user logged in over ssh can access the usb stick of the logged in
> user).

FWIW, I think what you really mean here:
different users logged in on the same system can access each other's plugged-in storage devices.

Dieter


All times are GMT. The time now is 07:08 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.