[arch-general] File permissions with udisks/udisk2 mounts
I tried asking this on the forum, didn't get any real answers, so I'm hoping someone here can help. I have a script located on a Vfat-formatted flash drive. When mounted using udisks, there are no execute permissions showing on the files, and they cannot be set. After some research, it seems that udisks works with polkit to set things like permission on mounted devices. Unfortunately, so far my attempts at research haven't led me to any information on setting permissions the way I need them, or even where the settings are stored. So I'm hoping someone can point me in the right direction - I want to be able to modify things like execute permissions on mounted devices when I need to. I'm not all that partial to being effectively told I can't do that - reminds me much too much of Windows. I've tried a few workarounds, with little or no success. I installed pmount and used it with the -e option to mount the device. Still no execute permissions. I tried using sh to execute the script - failed again.... I also tried adding the device to /etc/fstab. In that instance, the file showed as executable, but any attempt to execute it, even as root, got a 'permission denied' message. Argh! Paul.
On Thu, 22 Nov 2012 17:00:20 +0000 Paul Marwick <paul.marwick@gmail.com> wrote:
- I want to be able to modify things like execute permissions on mounted devices when I need to. I'm not all that partial to being effectively told I can't do that - reminds me much too much of Windows.
The need to constantly review the source to work out exactly what polkit allows is my primary reason to disable it. You can use udev blkid and the mount options umask and uid= and a umount sudo wrapper. Or just mount via a button. You may find spacefm or udevil more configurable but I haven't had time to look into them fully. I'll hunt out the link to my script and udev rules if need be but I haven't polished it for general use.
On Thu, Nov 22, 2012 at 09:31:38PM +0000, Kevin Chadwick wrote:
The need to constantly review the source to work out exactly what polkit allows is my primary reason to disable it.
What is your way to disable it once and for all ? -- FA
On Thu, 22 Nov 2012 21:52:30 +0000 Fons Adriaensen <fons@linuxaudio.org> wrote:
The need to constantly review the source to work out exactly what polkit allows is my primary reason to disable it.
What is your way to disable it once and for all ?
Well I wouldn't say once and for all. In a link from a thread about /usr earlier this week I read of a Gentoo guy who has disabled all the kits and probably did it more properly by building packages without polkit support but I don't have time for that. I still keep an eye on it but simply removed the suid permissions from a few files and do so after polkit upgrades via the upgrade pacman wrapper scripts I already had. /bin/chmod -s /usr/lib/polkit-1/polkit-agent-helper /bin/chmod -s /usr/lib/dbus-1.0/dbus-daemon-launch-helper /bin/chmod -s /usr/bin/pkexec (I prefer sudo anyway) I tried to keep it as undrastic as possible without affecting dbus and so things like default power managers, but more subtle suid removal attempts failed. I imagine network manager is broken, but it hasn't bothered me yet, possibly never. It may be fine to simply prevent execution or dummy polkit but I didn't have time to investigate and worried about timeouts that dbus permission denied may be preventing. I did consider a block all permissions rule but figured if I don't need it then I don't want it running as root reinforced by my experience of the main developer and his blog showing implementing things without due consideration, peer review or management. My users haven't noticed so far anyway ;-)
On 11/22/12 at 05:00pm, Paul Marwick wrote:
I tried asking this on the forum, didn't get any real answers, so I'm hoping someone here can help.
I have a script located on a Vfat-formatted flash drive. When mounted using udisks, there are no execute permissions showing on the files, and they cannot be set.
After some research, it seems that udisks works with polkit to set things like permission on mounted devices. Unfortunately, so far my attempts at research haven't led me to any information on setting permissions the way I need them, or even where the settings are stored. So I'm hoping someone can point me in the right direction - I want to be able to modify things like execute permissions on mounted devices when I need to. I'm not all that partial to being effectively told I can't do that - reminds me much too much of Windows.
I've tried a few workarounds, with little or no success. I installed pmount and used it with the -e option to mount the device. Still no execute permissions. I tried using sh to execute the script - failed again.... I also tried adding the device to /etc/fstab. In that instance, the file showed as executable, but any attempt to execute it, even as root, got a 'permission denied' message. Argh!
Paul.
Have you tried manually mounting with something like: # mount -o exec /dev/whatever /mount/point I don't use udisks, but I use pmount and (I think) it automatically mounts with the noexec option. I have never had a reason to try to get around this, so I also cannot speak to whether or not working around it is functional. But I figure if you do it manually, and specify exec, if it still doesn't work, then you at least then know that it is not specific to any of these automounting functions you use. -- Curtis Shimamoto sugar.and.scruffy@gmail.com
Curtis Shimamoto wrote:
Have you tried manually mounting with something like:
# mount -o exec /dev/whatever /mount/point
I don't use udisks, but I use pmount and (I think) it automatically mounts with the noexec option. I have never had a reason to try to get around this, so I also cannot speak to whether or not working around it is functional.
Thanks for the suggestion. I hadn't tried that, though I had tried pmount with the -e flag, which should set executable permissions. Mounted as you suggest, the script is executable. :) It failed again, but that was because I didn't have mtools installed, and was easy to fix. Interesting that a manual mount worked where pmount and mount using 'noauto' in /etc/fstab didn't.
But I figure if you do it manually, and specify exec, if it still doesn't work, then you at least then know that it is not specific to any of these automounting functions you use.
:) I guess it proves that it is down to udisks/polkit. I'd still like to know how I can control the options set by them, but at least your suggestion allows me to do what I need. Thanks again. Paul.
On Thu, 22 Nov 2012 22:31:10 +0000 Paul Marwick <paul.marwick@gmail.com> wrote:
Curtis Shimamoto wrote:
Have you tried manually mounting with something like:
# mount -o exec /dev/whatever /mount/point
I don't use udisks, but I use pmount and (I think) it automatically mounts with the noexec option. I have never had a reason to try to get around this, so I also cannot speak to whether or not working around it is functional.
Thanks for the suggestion. I hadn't tried that, though I had tried pmount with the -e flag, which should set executable permissions.
No, it shouldn't. Please consult the manpage and run pmount with --debug. You'll see that the relevant output is =============== You can change with the -c optionspawnv(): executing /bin/mount '/bin/mount' '-t' 'vfat' '-o' 'nosuid,nodev,user,quiet,shortname=mixed,async,atime,exec,uid=1000,gid=100,umask=077,fmask=0177,dmask=0077,utf8,iocharset=iso8859-1' '/dev/sdb1' '/media/...' =============== Notice that fmask is (automatically) set 0177 because vfat/ntfs has a creepy feature of having all files executable. If you are OK with that, use "pmount --fmask 0077 --exec". In any case, even with noexec and fmask=0177, calling "bash /media/<dir>/<script>" still works, so you must be doing something wrong...
Mounted as you suggest, the script is executable. :) It failed again, but that was because I didn't have mtools installed, and was easy to fix. Interesting that a manual mount worked where pmount and mount using 'noauto' in /etc/fstab didn't.
But I figure if you do it manually, and specify exec, if it still doesn't work, then you at least then know that it is not specific to any of these automounting functions you use.
:) I guess it proves that it is down to udisks/polkit. I'd still like to know how I can control the options set by them, but at least your suggestion allows me to do what I need. Thanks again.
Paul.
-- Leonid Isaev GnuPG key: 0x164B5A6D Fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
On Fri, 23 Nov 2012 13:12:57 -0600 Leonid Isaev <lisaev@umail.iu.edu> wrote:
In any case, even with noexec and fmask=0177, calling "bash /media/<dir>/<script>" still works, so you must be doing something wrong...
I missed the tried sh part. You only need read for shell as bash is what has execute permissions. It would be good if interpreters honoured noexec or there was a nointerp flag but they don't. Of course you can wrap any interpreter easily enough to do this. Can you even open the script that failed with an editor and you did use /bin/sh script.sh and not . to execute, right. If you can read with root but not a user or not with root or not with either then it might be quite telling. If you can read with both then the output of mount would be needed and might be useful anyway.
participants (5)
-
Curtis Shimamoto
-
Fons Adriaensen
-
Kevin Chadwick
-
Leonid Isaev
-
Paul Marwick