Announcement

**dibl** · Mar 24, 2010, 06:50 AM

Re: BUG? -- User does not belong to plugdev but can still mount USB flashdrive.

I saw your other question on this topic -- it's an interesting one, and I'm not sure of the answer. My gut says the solution, if it exists, is going to be "deeper" than the desktop environment. In other words, I kinda doubt it is a KDE (or Gnome or Xfce) "setting" -- it's probably a function of HAL policies, I would suppose.

**tinsami1** · Mar 24, 2010, 11:28 PM

Re: BUG? -- User does not belong to plugdev but can still mount USB flashdrive.

I'm downloading Karmic Netbook Remix and see if I encounter the same problem.

**dibl** · Mar 25, 2010, 05:01 AM

Re: BUG? -- User does not belong to plugdev but can still mount USB flashdrive.

Your goal of limiting a user's permissions on a USB hot-pluggable device is contrary to the expected (default) behavior of every modern OS, including Windows, as far as I can tell. Here is a useful dissertation on the hotplug design for Linux:

http://people.freedesktop.org/~david...g-OLS-2006.pdf

You might have to go for something more crude, like limiting access to all devices connected in /media, or something like that.

**tinsami1** · Mar 25, 2010, 05:48 PM

Re: BUG? -- User does not belong to plugdev but can still mount USB flashdrive.

I agree with what you're saying with respect to the default behavior. I was just hoping that there are built-in permission or policy tweaks I can do to get what I want. With WinXP, I can use a third party app to have such a restriction. With version prior to KK, a colleague of mine used HAL policies together with udev rules to accomplish such.

For Karmic and Lucid, at the very least, I'm expecting that if I don't make a user a member of the plugdev group, KDE4 should not allow that user to mount USB flashdrives -- I believe this is the intent behind the plugdev group.

I also tested Karmic Netbook Remix and got the same result. I'll be testing out the Ubuntu Netbook Edition to see if GNOME behaves the same.

**tinsami1** · Mar 26, 2010, 01:28 AM

Re: BUG? -- User does not belong to plugdev but can still mount USB flashdrive.

Just tested a fresh install of Ubuntu Netbook Edition. And I'm able to prevent a regular user from mounting a flash drive. I did this by:

1. Doing this: http://ohioloco.ubuntuforums.org/sho...35&postcount=2
2. Removing the user from the plugdev group. My test user is member of audio, video, and lpadmin only.

Upon plugging a flashdrive, I would be asked to authenthicate using an admin user.

This doesn't work on KDE. So it seems KDE ignores PolicyKit, or at least parts of it.

**Rog131** · Mar 26, 2010, 08:25 AM

Re: BUG? -- User does not belong to plugdev but can still mount USB flashdrive.

Earlier > Topic: Force mount of all USB external/flash drives to be read-only.

Links:
> USB Drive mount permission problem.
> [ubuntu] Can not write to external usb drive.

This is with an expendable Lucid installation.

Doing the opposite of the > [ubuntu] Can not write to external usb drive. Disabling the:

Code:

<append key="volume.mount.valid_options" type="strlist">uid=</append>

line of the /usr/share/hal/fdi/policy/10osvendor/20-storage-methods.fdi

Earlier:

Code:

   <!-- allow these mount options for vfat -->
   <match key="volume.fstype" string="vfat">
	<match key="/org/freedesktop/Hal/devices/computer:system.kernel.name" string="Linux">
	 <append key="volume.mount.valid_options" type="strlist">utf8</append>
	 <append key="volume.mount.valid_options" type="strlist">shortname=</append>
	 <append key="volume.mount.valid_options" type="strlist">codepage=</append>
	 <append key="volume.mount.valid_options" type="strlist">iocharset=</append>
	 <append key="volume.mount.valid_options" type="strlist">umask=</append>
	 <append key="volume.mount.valid_options" type="strlist">dmask=</append>
	 <append key="volume.mount.valid_options" type="strlist">fmask=</append>
	 <append key="volume.mount.valid_options" type="strlist">uid=</append>
	 <append key="volume.mount.valid_options" type="strlist">flush</append>
	</match>

Rebooting - inserting a (vfat formatted) flash stick to the system.

It is mounted to the:

:~$ ls -l /media
...
drwxr-xr-x 2 root root 32768 1970-01-01 02:00 disk
...

and the files are owned by the root.

:~$ ls -l /media/disk
total 448
-rwxr-xr-x 1 root root 7746 2010-03-04 13:44 DBus.txt
-rwxr-xr-x 1 root root 1963 2009-12-31 21:34 Error.txt
-rwxr-xr-x 1 root root 365958 2010-01-17 18:32 mplayer.doc

Now for an ordinary user the usb stick (and files) are read only.

[img width=400 height=187]http://img155.imageshack.us/img155/7137/katenosave.png[/img]

[img width=400 height=272]http://img401.imageshack.us/img401/1040/nocando.png[/img]

**Snowhog** · Mar 26, 2010, 02:03 PM

Re: BUG? -- User does not belong to plugdev but can still mount USB flashdrive.

Rog131, you constantly amaze me with the treasure of Linux/Kubuntu lore you posses! Truly astounding.

**dibl** · Mar 26, 2010, 02:23 PM

Re: BUG? -- User does not belong to plugdev but can still mount USB flashdrive.

Excellent -- Rog is the master!

He also keeps plenty of Kubuntu installations laying around for sacrifice:

Originally posted by Rog131

This is with an expendable Lucid installation.

**tinsami1** · Mar 26, 2010, 07:56 PM

Re: BUG? -- User does not belong to plugdev but can still mount USB flashdrive.

Originally posted by Rog131

Doing the opposite of the > [ubuntu] Can not write to external usb drive. Disabling the:

Code:

<append key="volume.mount.valid_options" type="strlist">uid=</append>

line of the /usr/share/hal/fdi/policy/10osvendor/20-storage-methods.fdi

Rog, YOU ROCK! This solved it for Kubuntu. At least for VFAT. I have to do the same for all NTFS and other filesystems, right?

Announcement

[SOLVED] User does not belong to plugdev but can still mount USB flashdrive.

[SOLVED] User does not belong to plugdev but can still mount USB flashdrive.

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment