IMHO automount for desktop is a helper for a user running some X session. Usually that means that a single person is using this system. So make him a helper which can do automount/autorun etc which helps him on a daily basis. Helps him not the admin of the system. A simple one which is a helper, not a policeman/guardian/supervisor who monitors and authorizes user's actions.
I understand that sysadmin of a server with many different users will not install such thing on his system, cause this make be used to break security. If the tool is simple enouth to do limited number of actions, it can be audited and secured and maybe some day it will be accepted even on multiuser systems. There is also automount for a sysadmin on a multiuser server, with no X sessions, which makes life of sysadmin easier. Same name two different targets. Same tool might be used for both, but I personally would prefer to have two different ones. For my X session perfect tool is a panel application listing available devices with it's current/future mount point, disk size/usage, allowing mount/unmount/eject by mouse click. It may have a checkboxes to automount/autorun new devices. I will not use it, but I do not care if it is there if it is not turned on or it can be easily turned off. It may list entries from fstab, autodiscoverd devices or even also from it's own config file for those who want to put more complicated mount/umount scripts. For anything more complex su/sudo is better (for me). I understand that there is a closed list of actions every user will have to perform on any system while running interactive graphic session. As such user would expect to have helpers for such actions easily available (perfectly on desktop or as visible panel applets). Later one will learn and choose the tools one wants and the way one want to use them. And a fixed set of simple helpers visible on desktop/panel would make a life easier. On Thu, Jul 30, 2015 at 3:18 PM, Rob Owens <[email protected]> wrote: > ----- Original Message ----- >> From: "Isaac Dunham" <[email protected]> >> I'm not sure where in the discussion this fits, but I thought I'd mention >> it here: >> Permitting all mount invocations via sudo does have a potential security >> hole if your mount implementation supports FUSE, as you can run an arbitrary >> command by specifying the mount type. >> I don't think that sudo does the necessary steps to block this. >> >> If you use a wrapper script, you can make it automatically determine the >> type and run ntfs-3g if appropriate, then allow sudo to run that. >> If you use a C wrapper, you can do that and make it suid. >> > Another reason not to give users wholesale access to the mount command is that > they could then 'mount -o remount,rw' any filesystem that the administrator > has mounted read-only. To protect against this, I think you probably need > something a bit more complicated than just sudo. Of course, for a single > user system, this is not a problem. > > -Rob > _______________________________________________ > Dng mailing list > [email protected] > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng _______________________________________________ Dng mailing list [email protected] https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
