On Thu, Sep 29, 2011 at 10:25 AM, Fons Adriaensen <fons@xxxxxxxxxxxxxx> wrote: > Yet some Gnome/KDE desktop apps are able to mount even when > running for a normal user, when PK agrees (which in my eyes > is a subvertion of a policy set by the sysadmin). How do they > do this if neither 'mount' nor the syscalls used by it take > any notice of PK (thank $GOD for that) ? > > The only way I can imagine ATM is that such environments have > a collection of small suid programs or daemons (all talking > to PK) that do the work, and that PK is there to allow these > to be separate from the main apps which require the service. What you are seeing is udisks [0]. The policy that is implemented, if I understand correctly, is that udisks allows a user who is physically at the machine to mount the usb drive, but not remote users. This makes sense for two reasons: * A user who is physically present could just grab the usb stick and insert it in a laptop where he/she has whatever permissions necessary to do whatever they want, so no security is lost. * Furthermore, you probably don't want have to ask the admin to set up a new entry in fstab for every usb drive that is plugged into your machine. If you don't like the way this works you could override the policy (look for udisks PK files) or you could just disable / uninstalll udisks. Cheers, Tom [0]: <http://www.freedesktop.org/wiki/Software/udisks>
