Currently, any user authenticated for HAL methods such as Mount are
allowed to perform these actions on any block device HAL is following.
This allows ordinary users to do things like unmount partitions not
named /, /bin, /boot, etc. (there's a list in
libhal-storage/libhal-storage.c). But, if you had a partition mounted
at /pub, for instance, a user could perform actions on it.
One thing I noticed that RedHat and SuSE do is tell HAL to ignore all
fixed disks.
$ cat
/mnt/suse/usr/share/hal/fdi/policy/10osvendor/99-storage-policy-fixed-drives.fdi
<?xml version="1.0" encoding="UTF-8"?> <!-- -*- SGML -*- -->
<deviceinfo version="0.2">
<device>
<match key="@block.storage_device:storage.hotpluggable" bool="false">
<match key="@block.storage_device:storage.removable" bool="false">
<merge key="volume.ignore" type="bool">true</merge>
</match>
</match>
</device>
</deviceinfo>
That way, ordinary users are only allowed to perform actions on
storage devices that are hotpluggable or removable. A side effect of
this is that gnome-vfs will not show these disks on the desktop. I
recall someone asked how to get rid of these a few months ago.
Are we interested in this?
--
Dan
--
http://linuxfromscratch.org/mailman/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
