Re: How to limit udisks2 rules to a specific device?
On 2018-04-09 12:30, Richard Hector wrote: > On 09/04/18 04:50, Mikhail Morfikov wrote: >> When it comes to mounting devices, I have two simple rules: >> 1) only root can do it. >> 2) in some cases only defined users can mount some specific devices. >> >> So I want to forbid all users (except root) to access all devices that people >> can possibly plug into a USB port. But devices can be distinguished by, for >> instance, some serial number (or something else). I have a USB drive, and I >> want >> it to be accessed and mounted by my regular user without asking me for >> password >> each time I do so. > > I assume faking the serial number is too difficult to be worried about? > > Richard > I know little about faking the serial number of a device, but it was just an example. There're lots of things a device can be matched against, and also you can give different privileges to users even when they operate on the same device. And, of course, remember that the message, which is returned to a user, is "Not authorized to perform operation", and not "Not authorized to perform operation due to not whitelisted serial number". :) So it could be difficult to know why you're not able to mount such device in my system. Anyways, I've manged to install the experimental version of policykit. It works well, and I was able to set everything in the way I wanted. signature.asc Description: OpenPGP digital signature
Re: How to limit udisks2 rules to a specific device?
On 09/04/18 04:50, Mikhail Morfikov wrote: > When it comes to mounting devices, I have two simple rules: > 1) only root can do it. > 2) in some cases only defined users can mount some specific devices. > > So I want to forbid all users (except root) to access all devices that people > can possibly plug into a USB port. But devices can be distinguished by, for > instance, some serial number (or something else). I have a USB drive, and I > want > it to be accessed and mounted by my regular user without asking me for > password > each time I do so. I assume faking the serial number is too difficult to be worried about? Richard signature.asc Description: OpenPGP digital signature
Re: How to limit udisks2 rules to a specific device?
On 2018-04-08 20:00, Brian wrote:
> On Sun 08 Apr 2018 at 18:50:50 +0200, Mikhail Morfikov wrote:
>
> [...]
>> I've seen that people use something similar to the following rule:
>> -
>> /etc/polkit-1/localauthority/50-local.d/20-udisks2.pkla
>> -
>> [Allow morfik to mount devices]
>> Identity=unix-user:morfik;
>> Action=org.freedesktop.udisks2.*;
>> ResultAny=no
>> ResultInactive=no
>> ResultActive=yes
>> -
>> And this is a little bit better than the previous solution because it gives
>> me
>> the ability to specify users/groups , and only the parties can do some
>> actions,
>> like for instance mounting a device (to be viewed via pkaction). The problem
>> here is that I can't choose which devices should be accessed by the identity
>> --
>> I'm able only to set which actions can be allowed.
>>
>> In the polkit manual[1], there's an example that would do exactly what I
>> want.
>> I'm speaking about this:
>> --
>> polkit.addRule(function(action, subject) {
>> if (action.id.indexOf("org.freedesktop.udisks2.") == 0 &&
>> action.lookup("drive.vendor") == "SEAGATE" &&
>> action.lookup("drive.model") == "ST3300657SS" &&
>> subject.isInGroup("engineers")) {
>> return polkit.Result.YES;
>> }
>> }
>> });
>> --
>> I bet there's also probably something like:
>> action.lookup("drive.serial")
>> but I don't really know how to get those values yet.
>>
>> Anyways, I don't think the above rule can be used with the polkit version
>> that's
>> currently in Debian, which is 0.105 . That rule can be used when you deal
>> with
>> 0.106+ , and 0.113 is available in the experimental branch, but
>> unfortunately it
>> can't be installed due to dependencies problems.
>>
>> Is there a way to convert that rule somewhat or is this functionality
>> specific
>> to the polkit v0.106+? Or maybe is there another way to achieve what I want?
>
> Converting from the JavaScript to the old style? Probably not. Converting
> the other way? Maybe.
>
> https://lists.debian.org/debian-user/2016/01/msg00209.html
>
I think I need the newer polkit version.
signature.asc
Description: OpenPGP digital signature
Re: How to limit udisks2 rules to a specific device?
On Sun 08 Apr 2018 at 18:50:50 +0200, Mikhail Morfikov wrote:
[...]
> I've seen that people use something similar to the following rule:
> -
> /etc/polkit-1/localauthority/50-local.d/20-udisks2.pkla
> -
> [Allow morfik to mount devices]
> Identity=unix-user:morfik;
> Action=org.freedesktop.udisks2.*;
> ResultAny=no
> ResultInactive=no
> ResultActive=yes
> -
> And this is a little bit better than the previous solution because it gives me
> the ability to specify users/groups , and only the parties can do some
> actions,
> like for instance mounting a device (to be viewed via pkaction). The problem
> here is that I can't choose which devices should be accessed by the identity
> --
> I'm able only to set which actions can be allowed.
>
> In the polkit manual[1], there's an example that would do exactly what I want.
> I'm speaking about this:
> --
> polkit.addRule(function(action, subject) {
> if (action.id.indexOf("org.freedesktop.udisks2.") == 0 &&
> action.lookup("drive.vendor") == "SEAGATE" &&
> action.lookup("drive.model") == "ST3300657SS" &&
> subject.isInGroup("engineers")) {
> return polkit.Result.YES;
> }
> }
> });
> --
> I bet there's also probably something like:
> action.lookup("drive.serial")
> but I don't really know how to get those values yet.
>
> Anyways, I don't think the above rule can be used with the polkit version
> that's
> currently in Debian, which is 0.105 . That rule can be used when you deal with
> 0.106+ , and 0.113 is available in the experimental branch, but unfortunately
> it
> can't be installed due to dependencies problems.
>
> Is there a way to convert that rule somewhat or is this functionality specific
> to the polkit v0.106+? Or maybe is there another way to achieve what I want?
Converting from the JavaScript to the old style? Probably not. Converting
the other way? Maybe.
https://lists.debian.org/debian-user/2016/01/msg00209.html
--
Brian.
How to limit udisks2 rules to a specific device?
I've never been using udisks/udisks2 before because I didn't really need it, but
now I thought I could see what the tool is capable of and give it a chance.
When it comes to mounting devices, I have two simple rules:
1) only root can do it.
2) in some cases only defined users can mount some specific devices.
So I want to forbid all users (except root) to access all devices that people
can possibly plug into a USB port. But devices can be distinguished by, for
instance, some serial number (or something else). I have a USB drive, and I want
it to be accessed and mounted by my regular user without asking me for password
each time I do so.
So far, I created two UDEV rules:
-
SUBSYSTEMS=="usb", \
ENV{UDISKS_IGNORE}="1", \
ENV{UDISKS_AUTO}="0", \
ENV{UDISKS_SYSTEM}="1"
ATTRS{serial}=="some-serial-number", \
ENV{UDISKS_IGNORE}="1", \
ENV{UDISKS_AUTO}="0", \
ENV{UDISKS_SYSTEM}="0"
-
The two rules do their job. Basically, the first rule marks all USB devices as
internal/system, and the second rule allows only the specific device to be
accessed by a regular user (later on in udisks). This, of course, allow all
regular users (not just me) to mount the device, so it's not really what I want,
but it's close enough to use it in this form.
I've seen that people use something similar to the following rule:
-
/etc/polkit-1/localauthority/50-local.d/20-udisks2.pkla
-
[Allow morfik to mount devices]
Identity=unix-user:morfik;
Action=org.freedesktop.udisks2.*;
ResultAny=no
ResultInactive=no
ResultActive=yes
-
And this is a little bit better than the previous solution because it gives me
the ability to specify users/groups , and only the parties can do some actions,
like for instance mounting a device (to be viewed via pkaction). The problem
here is that I can't choose which devices should be accessed by the identity --
I'm able only to set which actions can be allowed.
In the polkit manual[1], there's an example that would do exactly what I want.
I'm speaking about this:
--
polkit.addRule(function(action, subject) {
if (action.id.indexOf("org.freedesktop.udisks2.") == 0 &&
action.lookup("drive.vendor") == "SEAGATE" &&
action.lookup("drive.model") == "ST3300657SS" &&
subject.isInGroup("engineers")) {
return polkit.Result.YES;
}
}
});
--
I bet there's also probably something like:
action.lookup("drive.serial")
but I don't really know how to get those values yet.
Anyways, I don't think the above rule can be used with the polkit version that's
currently in Debian, which is 0.105 . That rule can be used when you deal with
0.106+ , and 0.113 is available in the experimental branch, but unfortunately it
can't be installed due to dependencies problems.
Is there a way to convert that rule somewhat or is this functionality specific
to the polkit v0.106+? Or maybe is there another way to achieve what I want?
-- Morfik
[1] https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html
signature.asc
Description: OpenPGP digital signature
