On 29 September 2011 06:55, Tom Gundersen <teg@xxxxxxx> wrote: > On Thu, Sep 29, 2011 at 12:36 PM, Fons Adriaensen <fons@xxxxxxxxxxxxxx> wrote: >> On Thu, Sep 29, 2011 at 11:51:53AM +0200, Tom Gundersen wrote: >> >>> What you are seeing is udisks [0]. The policy that is implemented, if >>> I understand correctly, is that udisks allows a user who is physically >>> at the machine to mount the usb drive, but not remote users. >>> >>> This makes sense for two reasons: >>> >>> * A user who is physically present could just grab the usb stick and >>> insert it in a laptop where he/she has whatever permissions necessary >>> to do whatever they want, so no security is lost. >> >> This makes no sense. I don't mind if they use their own sticks >> on their own laptop. I do if they use it one this particular >> machine. > > This is surely a very uncommon scenario. It is easily solved by > tweaking the PK policies though (which should be expected if you want > to do something non-standard). Well if I have an ext4 flash drive with a SUID bash on it, it's game over if I can mount it. Luckily udisks will mount it "nosuid,nodev" among other things, so it doesn't matter. And of course, if I have physical access, I can also steal the hard drive. -- Tavian Barnes
