Removable media permissions on CentOS

DaveQB · 10-23-2009, 01:05 AM

Hi all,

I followed this great primer to udev:
http://reactivated.net/writing_udev_rules.html

So my aim is to control perms on devices mounted.

2 Issues.

1.

Code:

udevinfo -a -p /sys/block/sdb

  looking at device '/block/sdb':
    KERNEL=="sdb"
    SUBSYSTEM=="block"
    SYSFS{stat}=="      26       11      296      322        0        0        0        0        0      316      322"
    SYSFS{size}=="31588352"
    SYSFS{removable}=="1"
    SYSFS{range}=="16"
    SYSFS{dev}=="8:16"

  looking at parent device '/devices/pci0000:00/0000:00:1a.7/usb1/1-4/1-4:1.0/host7/target7:0:0/7:0:0:0':
    ID=="7:0:0:0"
    BUS=="scsi"
    DRIVER=="sd"
    SYSFS{ioerr_cnt}=="0x1"
    SYSFS{iodone_cnt}=="0x10a7"
    SYSFS{iorequest_cnt}=="0x10a7"
    SYSFS{iocounterbits}=="32"
    SYSFS{timeout}=="60"
    SYSFS{state}=="running"
    SYSFS{rev}=="0.00"
    SYSFS{model}=="Voyager Mini    "
    SYSFS{vendor}=="Corsair "
    SYSFS{scsi_level}=="3"
    SYSFS{type}=="0"
    SYSFS{queue_type}=="none"
    SYSFS{queue_depth}=="1"
    SYSFS{device_blocked}=="0"
    SYSFS{max_sectors}=="240"

  looking at parent device '/devices/pci0000:00/0000:00:1a.7/usb1/1-4/1-4:1.0/host7/target7:0:0':
    ID=="target7:0:0"
    BUS==""
    DRIVER==""

  looking at parent device '/devices/pci0000:00/0000:00:1a.7/usb1/1-4/1-4:1.0/host7':
    ID=="host7"
    BUS==""
    DRIVER==""

  looking at parent device '/devices/pci0000:00/0000:00:1a.7/usb1/1-4/1-4:1.0':
    ID=="1-4:1.0"
    BUS=="usb"
    DRIVER=="usb-storage"
    SYSFS{modalias}=="usb:v1B1Cp0B31d0100dc00dsc00dp00ic08isc06ip50"
    SYSFS{bInterfaceProtocol}=="50"
    SYSFS{bInterfaceSubClass}=="06"
    SYSFS{bInterfaceClass}=="08"
    SYSFS{bNumEndpoints}=="03"
    SYSFS{bAlternateSetting}==" 0"
    SYSFS{bInterfaceNumber}=="00"

So my understanding is I could use DRIVERS=="usb-storage" its its in a parent device.

so I created this:

SUBSYSTEM=="block", DRIVERS=="usb-storage", MODE="0600"

But then I get:

Code:

udevtest  /sys/block/sdb
add_to_rules: unknown key 'DRIVERS'
main: unable to open '/sys/block/sdb'

If I change it to DRIVER is doesn't complain, but of course, doesn't work.

2. The device is being created with these perms:

Code:

ll /dev/sdb1
brw-r----- 1 root disk 8, 17 Oct 23 14:38 /dev/sdb1

Code:

mount |grep sdb1
/dev/sdb1 on /media/corsair type vfat (rw,noexec,nosuid,nodev,noatime,uid=1249,utf8,shortname=lower)

Code:

ll -d /media/corsair/
drwxr-xr-x 8 btest root 8192 Jan  1  1970 /media/corsair/

How can the mount of the device have weaker perms than the underlying device??

This is with a KDE desktop ontop.

Thanks for reading.

DaveQB · 10-25-2009, 09:53 PM

I wasn't wrong thinking it was a tough one

I am going to venture more into this today. Fingers crossed.

DaveQB · 10-29-2009, 01:38 AM

So now I think its controlled by hal.
When I saw this in the logs:

hald: mounted /dev/sdb1 on behalf of uid 1249

http://www.jefferyfernandez.id.au/20...ng-of-volumes/

http://wiki.archlinux.org/index.php/HAL

The former site looked promising and the default hal.conf file I had was much more open, allowing alot [on a default CentOS 5.3 install]

/etc/dbus-1/system.d/hal.conf

so I trimmed it down and also tried just copying and pasting the one from the article that was the restrictive one, but I could still mount a USB thumb drive.

So I am lost now. I even cut the hal.conf down even further, so minimal I thought it would break, but still able to mount as a simple user.

I did notice this in the logs:

userhelper[3317]: running '/usr/sbin/eject /dev/sdb1' with root privileges on behalf of 'btest'

But userhelper is from the usermode package which seems to only pertain to halting, shutting down and rebooting.

Damn, why is this so hard!

It looks like Fedora has gone to PolicyKit, so I can't get any help from there.