On Thu, Sep 29, 2011 at 11:51:53AM +0200, Tom Gundersen wrote: > What you are seeing is udisks [0]. The policy that is implemented, if > I understand correctly, is that udisks allows a user who is physically > at the machine to mount the usb drive, but not remote users. > > This makes sense for two reasons: > > * A user who is physically present could just grab the usb stick and > insert it in a laptop where he/she has whatever permissions necessary > to do whatever they want, so no security is lost. This makes no sense. I don't mind if they use their own sticks on their own laptop. I do if they use it one this particular machine. > * Furthermore, you probably don't want have to ask the admin to set up > a new entry in fstab for every usb drive that is plugged into your > machine. Not necessary. Priveleges to do certain things are given per user or to groups, it's done when a user's account is set up and that's it. Sudo can handle this nicely. The fstab entries for my own usb disks are there mainly because they have dedicated mount points. The last thing I want as an admin is a 'parallel administration' such as polkit, in particular if it can grant priveleges just by adding some files to a directory. That's very convenient for package managers etc. but it surely does not enhance security. > If you don't like the way this works you could override the policy > (look for udisks PK files) or you could just disable / uninstalll > udisks. Don't worry, there's no udisks on any machine I control. Nor Gnome or KDE for that matter. I do have polkit though, for just one reason: emacs -> gconf -> polkit. So as my vim skills improve I'll probably get rid of emacs and gconf some time. Ciao, -- FA
