LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-04-2007, 11:06 AM   #1
wallaceg
LQ Newbie
 
Registered: Sep 2007
Posts: 4

Rep: Reputation: 3
allow only certain users to mount media


How do I allow only certain users to mount removable media (cdrom, usb drive, etc.)? By default, using the gnome desktop (for instance), HAL & friends automatically mount a CDROM that's inserted. I need to be able to restrict that to a small list of users. I'm just looking how to do this on a single machine for now.
 
Old 09-04-2007, 11:22 AM   #2
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 53
I think only users parts of the group "plugdev" can automount but haven't really checked as nobody comes on my box..
 
Old 09-04-2007, 03:27 PM   #3
wallaceg
LQ Newbie
 
Registered: Sep 2007
Posts: 4

Original Poster
Rep: Reputation: 3
Quote:
Originally Posted by nx5000 View Post
I think only users parts of the group "plugdev" can automount but haven't really checked as nobody comes on my box..
The users I have on this box (happens to be Fedora 7) are all in their own personal groups only... they aren't members of any other group. And gnome mounts a CD automatically (for any user) when inserted into the drive.

(Furthermore, there is no plugdev group on this box)
 
Old 09-04-2007, 05:08 PM   #4
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 53
Quote:
Originally Posted by wallaceg View Post
happens to be Fedora 7
Happens to be that my advice is for debian...
And it works (tm)

sorry dunno fedora core
 
Old 09-04-2007, 05:25 PM   #5
PTrenholme
Senior Member
 
Registered: Dec 2004
Location: Olympia, WA, USA
Distribution: Fedora, (K)Ubuntu
Posts: 4,153

Rep: Reputation: 331Reputation: 331Reputation: 331Reputation: 331
If you do a ls -l /bin/mount, you'll see that the "special" (s) flag is set, which means (in this case, I believe) that mount is automatically run a "root" when invoked by another application (or user) running in the appropriate group.

Now, I don't know what command will display the groups the "special" setting allows to use the mount command, but I suspect that udev is starting a script when the CD/DVD device signals that a new disk has been inserted. If that's the case, you need to see what group the udev process uses to run the script, and how the mount is handled.

Alternatively, you could use the chmod command to reset the "run as root" permissions on the mount command to a be some "cdmounter" group, and then make the privileged few members of the group. But that might have some unexpected impact on system operation, so, if I were you, I'd try it first on a stand-alone system and see if it works the way you want.

Or perhaps someone more knowledgeable than I could tell us how to see the details of the "special" setting, or suggest some "proven" approach.
 
Old 09-05-2007, 06:04 AM   #6
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 53
Usually udev will create the device as root and as a last rule (/etc/udev/rules/z99_hal.rules) will tell HAL to mount the device using /usr/bin/pmount
pmount allows plugdev group to mount removable devices into /media
ls -la /usr/bin/plugdev
Code:
root@debian# ls -la /usr/bin/pmount
-rwsr-xr-- 1 root plugdev 33704 2007-08-16 15:49 /usr/bin/pmount
That's how it works here, I don't know on fedora but as PTrenholme said you could mimic this :
create group plugdev
add your user to plugdev group
change ownership of /bin/mount to
-rwsr-xr-- 1 root plugdev

Then nobody but group plugdev would be able to mount _anything_

But /bin/mount is a critical program. I can't think of any side effect but yes, a proven/clean method would be better.
 
  


Reply

Tags
access, media, removable, restrict


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Granting users access to external media devices? byebyebilliegates Suse/Novell 5 07-22-2007 01:24 AM
can't mount /media/cdrom0 lleb Linux - Software 8 02-04-2007 01:33 AM
Need permission solution for sharing media among users computercolin Linux - Newbie 2 01-21-2007 12:47 PM
can mount C not D FAT: invalid media value (0x45) mount: wrong fs type, bad option Emmanuel_uk Linux - Newbie 10 11-29-2005 03:47 AM
automount: mount(generic): failed to mount (null) (type iso9660) on /mnt/media/ vasudevadas Slackware 5 10-17-2005 04:05 PM


All times are GMT -5. The time now is 11:33 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration