On Fri, 2004-09-10 at 05:40 -0700, Steve G wrote: > >I'm not sure what the default policy should be though - most people are > >happy about not having to go to the commandline to get access to their > >partitions and some people have more or less valid security concerns. > > OK, I've had some time to think this over. Traditionally, the default is on the > open - all inclusive side of things unless there is the possibility of damage. > e.g., tcp_wrapper defaults to open, iptable defaults to open. You must intervene > to secure the system. > > As long as the drives are only detected and mount points made, it don't have a > problem. If the drives are *mounted*, I have a real problem. By mounting the > drive, you may suddenly cause a drive to get fsck'ed by a newer program that > oopses older kernels, or relabeled by SE Linux which will oops older kernels. > > No mounting! > > Even thought I have hand edited my fstab and hal made mount points, it appears > not to have mounted the drives. > Sure, hal doesn't mount drives. However, when you log in to GNOME then gnome-volume-manager, in the default configuration, mounts all the drives as the user who is logging in. And unmounts them at logout. I think this is sane given the options put in /etc/fstab. An example from my fstab /dev/sda1 /media/compact_flash vfat noauto,user,exec,kudzu,noatime,sync 0 0 and it's mounted as /dev/sda1 /media/compact_flash vfat rw,sync,noatime,nodiratime,nosuid,nodev,uid=500,gid=500,fmask=0022,dmask=0022 0 0 Note the nosuid,nodev options thanks to having user in the fstab line. So, I hope we can agree this is pretty safe? > Based on a suggestion from Jeff yesterday, I went and tuned my /etc/hal/hald.conf > file for false, false, false. That is bad advice; I'm not sure how well turning off media detection works presently (I test it once in a while though) and I think g-v-m ignores the automount hint. When Nautilus and GNOME VFS is ready, this will be supported as well [1]. [1] : GNOME VFS presently relies on the fstab, but there is no fstab entry if there is no media in card and there wont be if media detection is disabled :-) > On next boot, the mount points disappeared. Then I > re-installed hal. My config file was renamed hald.cond.rpmorig. :( There needs > to be a %config(noreplace) for hald.conf in the spec file. Sounds like a bug that is easy to fix. I'll do that, thanks for pointing it out. > Also, on first boot, hal ignores my wishes and puts the mount points there. I > haven't tried a reboot yet to see if on second boot they go away. Not sure yet if > this is a regression from yesterdays updates or just a first boot behavior. > Disabling media detection in /etc/hal/hald.conf only means we won't poll for media if we otherwise would do that. So of course hal initially detects your devices and create mount points. > Next question, is there supposed to be a /media/cdrom mount point? or is it still > /dev/cdrom? Or both? There is supposed to be a /media/cdrom mount point if you got a CD-ROM only drive; if it's a DVD-ROM it will be /media/dvdrom, if it's a CD- RW/DVD-RW it will be /media/cdrw_dvdrw and so on. It will probably reference the non-symlinked device e.g. /dev/hdc, /dev/hdd, /dev/sr0 or whatever. With the latest udev, however, there will be compatibility symlinks /dev/cdrom, /dev/cdrom1, ... that points to the real device file e.g. /dev/hdc. hal doesn't really care about these symlinks. David
