On 29 September 2011 06:55, Tom Gundersen email@example.com wrote:
On Thu, Sep 29, 2011 at 12:36 PM, Fons Adriaensen firstname.lastname@example.org wrote:
On Thu, Sep 29, 2011 at 11:51:53AM +0200, Tom Gundersen wrote:
What you are seeing is udisks . The policy that is implemented, if I understand correctly, is that udisks allows a user who is physically at the machine to mount the usb drive, but not remote users.
This makes sense for two reasons:
- A user who is physically present could just grab the usb stick and
insert it in a laptop where he/she has whatever permissions necessary to do whatever they want, so no security is lost.
This makes no sense. I don't mind if they use their own sticks on their own laptop. I do if they use it one this particular machine.
This is surely a very uncommon scenario. It is easily solved by tweaking the PK policies though (which should be expected if you want to do something non-standard).
Well if I have an ext4 flash drive with a SUID bash on it, it's game over if I can mount it. Luckily udisks will mount it "nosuid,nodev" among other things, so it doesn't matter. And of course, if I have physical access, I can also steal the hard drive.