Just found weirdo action. i connect my olympus camera into computer. Nothing happens, but I can find "unknown" in filemanager. Now try to open it, I get response, that need to be root, to mount camera into system???? What? Earlier I could mount it as a normal user... What has happened, not using selinux or so.. Have updated system some three times, after last camera mount, so why now have to be root, mount camera?
Jarmo
On 06.07.2014 10:19, jarmo wrote:
Just found weirdo action. i connect my olympus camera into computer. Nothing happens, but I can find "unknown" in filemanager. Now try to open it, I get response, that need to be root, to mount camera into system???? What? Earlier I could mount it as a normal user... What has happened, not using selinux or so.. Have updated system some three times, after last camera mount, so why now have to be root, mount camera?
Jarmo
$ loginctl show-session $(loginctl|grep $(whoami)|awk '{print $1}')
poma
Sun, 06 Jul 2014 10:38:57 +0200 poma pomidorabelisima@gmail.com kirjoitti:
$ loginctl show-session $(loginctl|grep $(whoami)|awk '{print $1}')
poma
An what I should see there?
Again, connecting camera as ME have worked earlier, now need root privileges.. What have changed? Linux oh1mrr.ampr.org 3.14.9-200.fc20.i686+PAE #1 SMP Thu Jun 26 22:02:38 UTC 2014 i686 i686 i386 GNU/Linux
Jarmo
jarmo oh1mrr@nic.fi writes:
Just found weirdo action. i connect my olympus camera into computer. Nothing happens, but I can find "unknown" in filemanager. Now try to open it, I get response, that need to be root, to mount camera into system???? What? Earlier I could mount it as a normal user...
Huh? Why would anyone but root be allowed to mount something?
Allegedly, on or about 06 July 2014, lee sent:
Why would anyone but root be allowed to mount something?
Because *I* put a CD, DVD, USB drive, into *my* computer, logged in as *myself*...
If I have to be root, or gain root privileges, to do such a basic requirement, these days, then security is being busted by either knowing the root password, or being allowed to use my own password for such a hazardous thing.
Tim ignored_mailbox@yahoo.com.au writes:
Allegedly, on or about 06 July 2014, lee sent:
Why would anyone but root be allowed to mount something?
Because *I* put a CD, DVD, USB drive, into *my* computer, logged in as *myself*...
That doesn't mean that you should be allowed to mount it when you're not root. And your computer doesn't know /who/ added some media, does it.
If I have to be root, or gain root privileges, to do such a basic requirement, these days, then security is being busted by either knowing the root password, or being allowed to use my own password for such a hazardous thing.
Security is more likely to be busted by users carelessly mounting file systems than it is by users knowing the passwords for their computers, unless busted intentionally.
Anyway, I wonder why the OP doesn't just mount the camera as usual. It seemed to be mountable.
On 07/07/2014 05:15 PM, lee wrote:
Timignored_mailbox@yahoo.com.au writes:
Allegedly, on or about 06 July 2014, lee sent:
Why would anyone but root be allowed to mount something?
Because*I* put a CD, DVD, USB drive, into*my* computer, logged in as *myself*...
That doesn't mean that you should be allowed to mount it when you're not root. And your computer doesn't know/who/ added some media, does it.
I'm using F 19 with Xfce. If I insert a flash drive, it's mounted without asking for a password because that's what I told Xfce how I wanted this handled. The same thing goes for my mp3 player and camera. For various reasons, I have a partition on my hard drive that's not in /etc/fstab. It doesn't get mounted at boot although there's an icon for it on my desktop. Mounting it requires the root password, although oddly enough I can un-mount it without any password. If this were a server, things would probably be set up differently but considering that I'm the only person who uses this computer, it's configured more for convenience than security. Each person's needs are different, and this is just another example where *nix lets people do things their own way instead of insisting that there's One True Way.
On 07/07/14 22:44, Tim wrote:
Allegedly, on or about 06 July 2014, lee sent:
Why would anyone but root be allowed to mount something?
Because *I* put a CD, DVD, USB drive, into *my* computer, logged in as *myself*...
If I have to be root, or gain root privileges, to do such a basic requirement, these days, then security is being busted by either knowing the root password, or being allowed to use my own password for such a hazardous thing.
If folks would reference the other thread entitled "Camera mounting" they may discover the partial answer. With maybe a tiny bit of investigation. The OP was booting their system to multi-user.target, a.k.a. run level 3.
So.....
Boot to multi-user.target login startxfce4 insert USB drive icon appears on desktop click on icon, system requests authentication
logout/login startx (default for me is KDE) insert USB drive USB drive is auto-mounted under /run/media/$user/something
Boot to graphical.target login selecting xfce4 as desktop insert USB drive icon appears on desktop click on icon, USB drive is auto-mounted under /run/media/$user/something
I leave it up to xfce users to determine the difference between the 2 starting methods. :-)
On 07/08/14 09:52, Joe Zeff wrote:
On 07/07/2014 06:21 PM, Ed Greshko wrote:
I leave it up to xfce users to determine the difference between the 2 starting methods. :-)
If it matters, I can ask about it at the Xfce forum for you.
I thought it was clear that it matters not to me. If is wasn't....
I don't care, since I don't use xfce and to boot I hardly ever start in multi-user mode with the intent of bringing up a desktop.
On 08.07.2014 04:06, Ed Greshko wrote:
On 07/08/14 09:52, Joe Zeff wrote:
On 07/07/2014 06:21 PM, Ed Greshko wrote:
I leave it up to xfce users to determine the difference between the 2 starting methods. :-)
If it matters, I can ask about it at the Xfce forum for you.
I thought it was clear that it matters not to me. If is wasn't....
I don't care, since I don't use xfce and to boot I hardly ever start in multi-user mode with the intent of bringing up a desktop.
So you do not care, but you do not hesitate to jump into the thread to provoke Xfce users out of boredom or just for fun? Really Ed.
poma
Mon, 07 Jul 2014 17:55:46 -0700 Joe Zeff joe@zeff.us kirjoitti:
I'm using F 19 with Xfce. If I insert a flash drive, it's mounted without asking for a password because that's what I told Xfce how I wanted this handled. The same thing goes for my mp3 player and camera. For various reasons, I have a partition on my hard drive
I'm usin XFCE also. But do the test. Cange your boot into multi-user (runlevel 3) and when logged in do startxfce4 and connect memorystick or your camera. To me happened, that every time asked me for root passwd to open.
jarmo
On 8 July 2014 01:15, lee lee@yun.yagibdah.de wrote:
Tim ignored_mailbox@yahoo.com.au writes:
Allegedly, on or about 06 July 2014, lee sent:
Why would anyone but root be allowed to mount something?
Because *I* put a CD, DVD, USB drive, into *my* computer, logged in as *myself*...
That doesn't mean that you should be allowed to mount it when you're not root. And your computer doesn't know /who/ added some media, does it.
If I have to be root, or gain root privileges, to do such a basic requirement, these days, then security is being busted by either knowing the root password, or being allowed to use my own password for such a hazardous thing.
Security is more likely to be busted by users carelessly mounting file systems than it is by users knowing the passwords for their computers, unless busted intentionally.
Anyway, I wonder why the OP doesn't just mount the camera as usual. It seemed to be mountable.
All true. But we live in a world where attaching cameras and other devices to computers to get files off them is a very common task. That should be no more of a security concern than being able to get those same files from the internet. The solution is a controlled way of mounting attached devices, which if I understand correctly is what /run/media is about, also things like KIO, GVFS. By expecting users to mount attached devices with full-fat mount usage you open the potential for exploits.
Ian Malone ibmalone@gmail.com writes:
By expecting users to mount attached devices with full-fat mount usage you open the potential for exploits.
How would that happen? A file system is either mounted or not, or is it?
Joe Zeff joe@zeff.us writes:
computer, it's configured more for convenience than security. Each person's needs are different, and this is just another example where *nix lets people do things their own way instead of insisting that there's One True Way.
Choices are good to have. Unfortunately, they tend to get removed.
On Tue, 8 Jul 2014 15:48:46 +0300 jarmo oh1mrr@nic.fi wrote:
Mon, 07 Jul 2014 17:55:46 -0700 Joe Zeff joe@zeff.us kirjoitti:
I'm using F 19 with Xfce. If I insert a flash drive, it's mounted without asking for a password because that's what I told Xfce how I wanted this handled. The same thing goes for my mp3 player and camera. For various reasons, I have a partition on my hard drive
I'm usin XFCE also. But do the test. Cange your boot into multi-user (runlevel 3) and when logged in do startxfce4 and connect memorystick or your camera. To me happened, that every time asked me for root passwd to open.
I don't think startxfce4 can handle a change made in the kernel a while back that disallows new sessions if you change vtys. I'm not sure it would be worth the trouble to try and fix it as thats not ever really been a very Fedora way to start a Xfce session.
Does it work as you expect with startx ? (which was modified to take that change into effect).
kevin
Tue, 8 Jul 2014 17:54:19 -0600 Kevin Fenzi kevin@scrye.com kirjoitti:
Does it work as you expect with startx ? (which was modified to take that change into effect).
kevin
Startx command tries launch KDE, what I used earlier.. But... as said, now, when booting direct into graphical mode, all works.. Hope :)
Jarmo
On 07/09/14 11:14, jarmo wrote:
Tue, 8 Jul 2014 17:54:19 -0600 Kevin Fenzi kevin@scrye.com kirjoitti:
Does it work as you expect with startx ? (which was modified to take that change into effect).
kevin
Startx command tries launch KDE, what I used earlier.. But... as said, now, when booting direct into graphical mode, all works.. Hope :)
If you have, or create, a $HOME/.xinitrc containing ....
exec ck-launch-session dbus-launch --exit-with-session startxfce4
Then startx will launch xfce.
You will then find that a USB drive will mount on a double-click of the icon without authentication.
On 8 July 2014 22:33, lee lee@yun.yagibdah.de wrote:
Ian Malone ibmalone@gmail.com writes:
By expecting users to mount attached devices with full-fat mount usage you open the potential for exploits.
How would that happen? A file system is either mounted or not, or is it?
I think I wasn't clear enough. The user doesn't get to run mount themselves. The system does it for them, in a well-defined place with set permissions. If you're worried about security then what are the actual risks? - Worried about users copying data on or off. You need to disable auto mounting, but you need to do a lot of other things too. - Things getting mounted in dangerous places, e.g. over / or /bin or a user's home directory. Doesn't happen. - Things being mounted executable. I've just checked and the default options I get for FAT are showexec, but this could probably be changed to prevent it, certainly it gives you a single point the admin could potentially change it. But files are owned by the user, so setuid tricks are out.
As for KIO, GVFS, sometimes the thing really *isn't* mounted, my camera for instance doesn't get a mount point. The file explorer talks to the camera directly (PTP I think in this case).
Wed, 09 Jul 2014 11:32:32 +0800 Ed Greshko ed.greshko@greshko.com kirjoitti:
If you have, or create, a $HOME/.xinitrc containing ....
exec ck-launch-session dbus-launch --exit-with-session startxfce4
Then startx will launch xfce.
You will then find that a USB drive will mount on a double-click of the icon without authentication.
Ok Now last for this subject.. I have now all working, just changed from runlevel 3 into runlevel 5 and default desktop is xfce4.
Warm summer
Jarmo
Ian Malone ibmalone@gmail.com writes:
On 8 July 2014 22:33, lee lee@yun.yagibdah.de wrote:
Ian Malone ibmalone@gmail.com writes:
By expecting users to mount attached devices with full-fat mount usage you open the potential for exploits.
How would that happen? A file system is either mounted or not, or is it?
I think I wasn't clear enough. The user doesn't get to run mount themselves. The system does it for them, in a well-defined place with set permissions.
Neither the system, nor the user should mount something. Only root should do that, knowing what they're doing.
If you're worried about security then what are the actual risks?
- Worried about users copying data on or off. You need to disable auto
mounting, but you need to do a lot of other things too.
When there is no auto mounting, that's one less thing you'd have to disable.
- Things getting mounted in dangerous places, e.g. over / or /bin or a
user's home directory. Doesn't happen.
You trust computers too much.
- Things being mounted executable. I've just checked and the default
options I get for FAT are showexec, but this could probably be changed to prevent it, certainly it gives you a single point the admin could potentially change it. But files are owned by the user, so setuid tricks are out.
The users can always copy things from things mounted and make them executable. Or they can write their own programs, without mounting anything. When the system mounts things itself, who knows what it might execute.
Allegedly, on or about 10 July 2014, lee sent:
Neither the system, nor the user should mount something. Only root should do that, knowing what they're doing.
Bullshit!
On 10 July 2014 01:10, lee lee@yun.yagibdah.de wrote:
Ian Malone ibmalone@gmail.com writes:
On 8 July 2014 22:33, lee lee@yun.yagibdah.de wrote:
Ian Malone ibmalone@gmail.com writes:
By expecting users to mount attached devices with full-fat mount usage you open the potential for exploits.
How would that happen? A file system is either mounted or not, or is it?
I think I wasn't clear enough. The user doesn't get to run mount themselves. The system does it for them, in a well-defined place with set permissions.
Neither the system, nor the user should mount something. Only root should do that, knowing what they're doing.
If you're worried about security then what are the actual risks?
- Worried about users copying data on or off. You need to disable auto
mounting, but you need to do a lot of other things too.
When there is no auto mounting, that's one less thing you'd have to disable.
- Things getting mounted in dangerous places, e.g. over / or /bin or a
user's home directory. Doesn't happen.
You trust computers too much.
No, I'm pragmatic in what can be trusted. If key components of your system are compromised then what are you protecting and what are you protecting from? Misdirected paranoia is pointless.
Ian Malone ibmalone@gmail.com writes:
On 10 July 2014 01:10, lee lee@yun.yagibdah.de wrote:
You trust computers too much.
No, I'm pragmatic in what can be trusted. If key components of your system are compromised then what are you protecting and what are you protecting from? Misdirected paranoia is pointless.
A computer doesn't need to be compromised to not work correctly or not as expected.
On 10 July 2014 09:49, lee lee@yun.yagibdah.de wrote:
Ian Malone ibmalone@gmail.com writes:
On 10 July 2014 01:10, lee lee@yun.yagibdah.de wrote:
You trust computers too much.
No, I'm pragmatic in what can be trusted. If key components of your system are compromised then what are you protecting and what are you protecting from? Misdirected paranoia is pointless.
A computer doesn't need to be compromised to not work correctly or not as expected.
The same can be said of manually mounting things every time. The difference is that computers are good at automating things reliably, people are not. I don't calculate all my hashes by hand either.
Ian Malone ibmalone@gmail.com writes:
On 10 July 2014 09:49, lee lee@yun.yagibdah.de wrote:
Ian Malone ibmalone@gmail.com writes:
On 10 July 2014 01:10, lee lee@yun.yagibdah.de wrote:
You trust computers too much.
No, I'm pragmatic in what can be trusted. If key components of your system are compromised then what are you protecting and what are you protecting from? Misdirected paranoia is pointless.
A computer doesn't need to be compromised to not work correctly or not as expected.
The same can be said of manually mounting things every time.
As in "A human doesn't need to be compromised ..."? :)
The difference is that computers are good at automating things reliably, people are not. I don't calculate all my hashes by hand either.
The kind of reliability you're referring to is like a two-edged sword. Computers are subject to all kinds of failures, plus human errors, and they lack human intelligence. That puts computers at a big disadvantage, and when a computer does something wrong, it's somewhat likely to be doing it wrong all the time.
-
Ed Greshko -
Ian Malone -
jarmo -
Joe Zeff -
Kevin Fenzi -
lee -
poma -
Tim