Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
How do I allow only certain users to mount removable media (cdrom, usb drive, etc.)? By default, using the gnome desktop (for instance), HAL & friends automatically mount a CDROM that's inserted. I need to be able to restrict that to a small list of users. I'm just looking how to do this on a single machine for now.
I think only users parts of the group "plugdev" can automount but haven't really checked as nobody comes on my box..
The users I have on this box (happens to be Fedora 7) are all in their own personal groups only... they aren't members of any other group. And gnome mounts a CD automatically (for any user) when inserted into the drive.
(Furthermore, there is no plugdev group on this box)
If you do a ls -l /bin/mount, you'll see that the "special" (s) flag is set, which means (in this case, I believe) that mount is automatically run a "root" when invoked by another application (or user) running in the appropriate group.
Now, I don't know what command will display the groups the "special" setting allows to use the mount command, but I suspect that udev is starting a script when the CD/DVD device signals that a new disk has been inserted. If that's the case, you need to see what group the udev process uses to run the script, and how the mount is handled.
Alternatively, you could use the chmod command to reset the "run as root" permissions on the mount command to a be some "cdmounter" group, and then make the privileged few members of the group. But that might have some unexpected impact on system operation, so, if I were you, I'd try it first on a stand-alone system and see if it works the way you want.
Or perhaps someone more knowledgeable than I could tell us how to see the details of the "special" setting, or suggest some "proven" approach.
Usually udev will create the device as root and as a last rule (/etc/udev/rules/z99_hal.rules) will tell HAL to mount the device using /usr/bin/pmount
pmount allows plugdev group to mount removable devices into /media
ls -la /usr/bin/plugdev
That's how it works here, I don't know on fedora but as PTrenholme said you could mimic this :
create group plugdev
add your user to plugdev group
change ownership of /bin/mount to
-rwsr-xr-- 1 root plugdev
Then nobody but group plugdev would be able to mount _anything_
But /bin/mount is a critical program. I can't think of any side effect but yes, a proven/clean method would be better.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
