Bug#788662: Logged-in user no longer granted permission to removable disks
Josh Triplett
josh at joshtriplett.org
Mon Jun 15 16:56:33 BST 2015
On Mon, Jun 15, 2015 at 12:36:45PM +0200, Michael Biebl wrote:
> Am 15.06.2015 um 07:34 schrieb Martin Pitt:
> > Hey Josh,
> >
> > Josh Triplett [2015-06-13 16:23 -0700]:
> >> I plugged in a removable USB disk, and its devices showed up as root:disk 0660,
> >> with no ACLs. Normally, I'd expect removable USB disks to grant
> >> read/write permission to the logged-in user.
> >> ~$ ls -l /dev/sdb*
> >> brw-rw---- 1 root disk 8, 16 Jun 13 16:17 /dev/sdb
> >> brw-rw---- 1 root disk 8, 17 Jun 13 16:17 /dev/sdb1
> >
> > That's expected. As Michael already said, we never explicitly granted
> > user access to device nodes. Maybe in the past some devices got that
> > through specific group membership, or you had some custom udev rules
> > to do that; but throughout the history of pmount, hal, consolekit,
> > udev etc. in Debian the device nodes themselves weren't user
> > accessible in general. The main exception there that I remember is
> > Fedora's/Red Hat's ancient console_helper (or something similar) which
> > actually changed the device nodes themselves. But that was some decade
> > ago already..
>
> I checked wheezy, and it had the following rules:
> 91-permissions: SUBSYSTEM=="block", ATTRS{removable}=="1", GROUP="floppy"
> 91-permissions: SUBSYSTEM=="block", SUBSYSTEMS=="usb|ieee1394|mmc|pcmcia", GROUP="floppy"
>
> See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=751892
>
> Maybe we should merge those two bug reports?
Merging them seems fine, but I do think this functionality from wheezy
should be restored. Not using the "floppy" group or any static group,
but using the uaccess mechanism.
Either that, or there should be a NEWS.Debian entry somewhere
documenting that direct device access by users was removed and won't
come back for security reasons. But I don't see an obvious reason why
removable USB disk devices should not be accessible to users.
- Josh Triplett
More information about the Pkg-systemd-maintainers
mailing list