On Tue, Sep 18, 2007 at 06:33:36PM +0200, Harald Dunkel wrote:
> Hi Dirk,
>
> > I have the following udev rules defined for my usb devices:
> >
> : [snip]
> > # USB Stick SanDisk 1GB
> > SUBSYSTEMS=="usb", KERNEL=="sd*", ATTRS{product}=="Cruzer Micro",
> > ATTRS{serial}=="2005173991167CA2BF93", SYMLINK="usb/stick%n"
> >
>
> For a single PC it might not matter to hardwire vendor and
> serial number of your USB stick in udev/rules.d, as you have
> shown. But if you have to manage 80 Linux PCs, and if you would
> like to give your users an option to mount "their" encrypted usb
> sticks on any PC, then you might imagine that the effort to
> hardwire vendor and serial number of every USB stick of every
> user in the udev rules on every PC is too high. It sucks.
>
> I would like to mount _any_ encrypted usb stick without being
> root, and without having to look for what became of the "%n"
> in the SYMLINK option. The procedure I would like to have would
> be: The user plugs in his USB stick, runs "mount /usb" (or
> maybe "luksmount /usb"), enters the passphrase, and then it is
> mounted. When he has done his job he runs "umount /usb", waits
> for the LED, and pulls it out. GUI support would be nice-to-have,
> but command line support is must-have.
>
> For not encrypted usb sticks this procedure is no problem.
Not true. It requires the sysadmin (or distribution) to allow
the user to mount certain devices. In a security-critical
environment, this is typically not allowed and users cannot
mount devices.
> How comes that it cannot be implemented for encrypted filesystems?
Access to the device mapper is root-only. That is very sensible,
since by remapping disk parts users could likely circumvent
OS protection and make themselves root. That would, incidentially,
make encryption pretty worthless on multi-user machines.
Arno
--
Arno Wagner, Dipl. Inform., CISSP --- CSG, ETH Zurich, wagner@xxxxxxxxxxxxxx
GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
---------------------------------------------------------------------
dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/
To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx
For additional commands, e-mail: dm-crypt-help@xxxxxxxx
