You are not logged in.

#101 2012-12-24 06:42:43

ShadowKyogre
Member
From: Hell! XP No... I'm not telling
Registered: 2008-12-19
Posts: 476
Website

Re: udevil - mount without password, monitor udev [SpaceFM, devmon, CLI]

Wanted to announce here a small modification to the default volumes plugin for kupfer (which I'll put up on the AUR soon to get myself away from the self-induced headache of tracking down some LXDM bugs).

For now, you can download the modified volumes plugin (located here: https://gist.github.com/4351271), manually package it to go into /usr/share/kupfer/kupfer/plugin, and configure it to use a custom umount command (such as udevil). I haven't figured out the exact command for ejecting a device, but once I do, I'll get to modifying it to take ejection into consideration.

[EDIT]: AUR package is now available: https://aur.archlinux.org/packages/kupf … volumescc/

Last edited by ShadowKyogre (2012-12-24 06:52:44)


For every problem, there is a solution that is:
Clean
Simple and most of all...wrong!
Github page

Offline

#102 2013-01-20 23:47:44

ninian
Member
From: United Kingdom
Registered: 2008-02-24
Posts: 726
Website

Re: udevil - mount without password, monitor udev [SpaceFM, devmon, CLI]

Can udevil cope with SSH using a port other than 22?
If so, does this need to be specified in /etc/udevil/udevil.conf?
Would be grateful for any clarification!

Offline

#103 2013-01-21 02:25:02

IgnorantGuru
Member
Registered: 2009-11-09
Posts: 640
Website

Re: udevil - mount without password, monitor udev [SpaceFM, devmon, CLI]

ninian wrote:

Can udevil cope with SSH using a port other than 22?
If so, does this need to be specified in /etc/udevil/udevil.conf?
Would be grateful for any clarification!

You should be able to specify a port number like this:
    ssh://10.0.0.1:22

You may need to allow the appropriate option (eg port=*) for sshfs in udevil.conf - you'll know if it says option not allowed.

Regardless of protocol, udevil accepts the URL format protocol://user:password@sys.domain:port/share

Offline

#104 2013-01-21 18:57:18

ninian
Member
From: United Kingdom
Registered: 2008-02-24
Posts: 726
Website

Re: udevil - mount without password, monitor udev [SpaceFM, devmon, CLI]

Many thanks for the swift reply and further guidance - makes sense.

Unfortunately, I still can't get udevil to work with this - I always get that old boring SSH error "read: Connection reset by peer". In /etc/udevil/udevil.conf, I checked the following:
allowed_types = $KNOWN_FILESYSTEMS, file, ... sshfs ...
allowed_options_sshfs  = nosuid, ... port=xxx

I'm using key authorization, a port xxx which is not 22, and both the ssh and sshfs commands on their own work exactly as expected.
Whoops, just noticed that when I try udevil (0.3.6-1) with mount -t sshfs, it produces a 'Segmentation fault'!

Maybe I am missing something obvious ...
sad

Offline

#105 2013-01-21 20:13:13

IgnorantGuru
Member
Registered: 2009-11-09
Posts: 640
Website

Re: udevil - mount without password, monitor udev [SpaceFM, devmon, CLI]

udevil is a front-end for mount, so to troubleshoot sshfs problems, run udevil --verbose mount ... and observe the command that udevil is issuing to mount as root.  You can then issue this same command yourself as root to troubleshoot behavior with the sshfs mount helper.  This takes udevil out of the loop.

Aside from parsing the URL and converting it into arguments to pass to mount, and creating a mount point directory, udevil doesn't do much here - most of what it does is about figuring out if you're allowed to do the mount.  Also note that udevil runs mount as root, so this differs in some ways from running sshfs as a normal user.  It's more like adding an sshfs share to fstab.

I'd love to see a backtrace of the segfault - thanks (see README - BUILD DEBUG).

Offline

#106 2013-01-21 23:22:35

ninian
Member
From: United Kingdom
Registered: 2008-02-24
Posts: 726
Website

Re: udevil - mount without password, monitor udev [SpaceFM, devmon, CLI]

IgnorantGuru wrote:

udevil is a front-end for mount, so to troubleshoot sshfs problems, run udevil --verbose mount ... and observe the command that udevil is issuing to mount as root.  You can then issue this same command yourself as root to troubleshoot behavior with the sshfs mount helper.  This takes udevil out of the loop.
... Also note that udevil runs mount as root, so this differs in some ways from running sshfs as a normal user.  It's more like adding an sshfs share to fstab.

I'd love to see a backtrace of the segfault - thanks (see README - BUILD DEBUG).

Thanks again and I'll experiment further by taking udevil out of the loop. Definitely feels like a user/root permissions problem or misunderstanding by me.
Regarding the segfault, here's what I got from the latest udevil-git; hope it's of some help:

root@pc:/home/user # gdb /usr/bin/udevil 
...
This GDB was configured as "i686-pc-linux-gnu".
...
Reading symbols from /usr/bin/udevil...done.
(gdb) run mount -t sshfs user@pc1
Starting program: /usr/bin/udevil mount -t sshfs user@pc1
warning: Could not load shared library symbols for linux-gate.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0xb7553cc8 in __strcmp_ia32 () from /usr/lib/libc.so.6

Offline

#107 2013-01-22 00:57:11

IgnorantGuru
Member
Registered: 2009-11-09
Posts: 640
Website

Re: udevil - mount without password, monitor udev [SpaceFM, devmon, CLI]

ninian wrote:

Regarding the segfault, here's what I got from the latest udevil-git; hope it's of some help:

When the segfault occurs, please enter

bt full

in gdb.  Thanks.

EDIT:  Never mind - I am able to reproduce this by specifying "-t sshfs".  Obviously it shouldn't segfault but this can be avoided by skipping the -t and using the URL: udevil mount ssh://user@10.0.0.1

Last edited by IgnorantGuru (2013-01-22 01:02:10)

Offline

#108 2013-01-27 15:34:47

Honaht
Member
From: El verano de los vientos
Registered: 2012-01-14
Posts: 5

Re: udevil - mount without password, monitor udev [SpaceFM, devmon, CLI]

Thank you for reply.

IgnorantGuru wrote:

You can further control ownership based on mount options with some filesystems (eg uid=$UID) - not sure about ext4.

Yes, on ext4 and xfs this option does not work.

IgnorantGuru wrote:

To add custom options just for ext4, add a line like this to udevil.conf:

default_options_ext4 = nosuid, noexec, nodev, noatime, ...

The impression is that these options are ignored. Flash drives and SD card persistently mounted with root privileges. The config file currently looks like this:

default_options_xfs       = noexec, nosuid, nodev, user, sync, rw, noatime, nodiratime, allocsize=1024m
default_options_ext4      = noexec, nosuid, nodev, user, sync, rw, noatime, nodiratime, acl, data=journal
default_options_ext2      = noexec, nosuid, nodev, user, sync, rw, noatime, nodiratime, acl

Judging from the log, all well mounted with all the options, no errors no. But (FS on media & other - xfs, on Fujitsu & sde1* - ext4):

ls -la /media
drwxr-xr-x   6 root root   4096 jan 28 02:01 .
drwxr-xr-x  20 root root   4096 jan 27 17:10 ..
drwxr-xr-x  73 oleg users 12288 jan 27 23:33 Fujitsu 465GB
drwxr-xr-x 101 oleg users  8192 jan 28 01:07 media
drwxr-xr-x   8 oleg users   125 jan 28 01:08 other
drwxr-xr-x   3 root root   4096 jan 28 00:40 sde1-usb-USB3.0_FLASH_DRI

Could it be this is tied into the fact that flash drives and SD card is inserted in port USB3.0, а external hard drives - in port USB2.0?

IgnorantGuru wrote:

Also note the mount_point_mode or mount_point_mode_ext4 settings in udevil.conf which controls permissions on the mount point directory.

If set the permissions in mount_point_mode 0777 instead 0755, use of course can, but this solution does not seem to me correct. How to implement mount with the privileges of the user?

Offline

#109 2013-01-27 16:16:23

IgnorantGuru
Member
Registered: 2009-11-09
Posts: 640
Website

Re: udevil - mount without password, monitor udev [SpaceFM, devmon, CLI]

Honaht wrote:

Could it be this is tied into the fact that flash drives and SD card is inserted in port USB3.0, а external hard drives - in port USB2.0?

I doubt that would affect it.  ext4 preserves linux ownership and permissions, so when mounted, that ownership within the filesystem will generally take effect (this is why ext4 doesn't provide a uid= option).  So you may just need to adjust permissions and ownership on the directories within the filesystem, including its root dir.  These should be retained the next time it is mounted, just like any ext4 fs.

Aside from the mount_point_mode setting in udevil.conf, udevil doesn't directly adjust permissions within the filesystem.  This is handled by mount options (eg uid=) in some cases.  You can see the exact command udevil is issuing to mount by running udevil --verbose mount ...  You can then issue this same command as root to test and adjust your options.  Then add them as desired to udevil.conf.

When mounting to media/, udevil will create a mount point dir owned by root (but when mounted, this ownership may change due to ownership within the filesystem).  When mounting to /run/media/$USER, the mount point dir will be owned by the user (acl).  Either way, the ownership within the filesystem will be retained for a native linux fs such as ext4.  So I think that's what you need to adjust - ownership within the ext4 filesystem you're mounting.

Offline

#110 2013-01-28 02:33:00

Honaht
Member
From: El verano de los vientos
Registered: 2012-01-14
Posts: 5

Re: udevil - mount without password, monitor udev [SpaceFM, devmon, CLI]

Ok, now more or less clear. Thanks for the clarification.

Offline

#111 2013-02-11 16:43:21

IgnorantGuru
Member
Registered: 2009-11-09
Posts: 640
Website

Re: udevil - mount without password, monitor udev [SpaceFM, devmon, CLI]

udevil 0.4.0 is available.  This release adds support for WebDAV via davfs2, so you can mount http:// and https:// URLs to edit WebDAV-enabled websites (these URLs will also now work in SpaceFM's path bar when used with udevil 0.4.0 or later).  For details on using WebDAV and other minor changes in this release, please see udevil News .

Offline

#112 2013-02-11 18:05:02

anonymous_user
Member
Registered: 2009-08-28
Posts: 3,059

Re: udevil - mount without password, monitor udev [SpaceFM, devmon, CLI]

^ That news is some incredibly good timing as I just signed up for box.com.

Offline

#113 2013-02-13 23:12:27

IgnorantGuru
Member
Registered: 2009-11-09
Posts: 640
Website

Re: udevil - mount without password, monitor udev [SpaceFM, devmon, CLI]

A new cloud-based translation server is available to make it easier for everyone to help translate strings in udevil and SpaceFM - thanks for contributing.

Offline

#114 2013-02-14 19:16:08

d912e3
Member
Registered: 2012-10-28
Posts: 4

Re: udevil - mount without password, monitor udev [SpaceFM, devmon, CLI]

How can I mount a luksOpen'ed device with udevil and devmon, respectively?

With the default udevil.conf, I get:

$ sudo cryptsetup luksOpen /dev/sdX myluks
$ udevil mount /dev/mapper/myluks
udevil: denied 80: device myluks is not an allowed device

The same happens if I add the UUID to allowed_internal_uuids. Only with the UUID allowed and explicitly added /dev/mapper/myluks to the allowed_devices, the mounting works.

Unfortunately, this is doesn't work with devmon (even with /dev/dm-4 allowed):

added:     /org/freedesktop/UDisks/devices/dm-4
===========================================
changed:     /org/freedesktop/UDisks/devices/dm-4
===========================================
changed:     /org/freedesktop/UDisks/devices/dm-4
/usr/bin/devmon: line 1099: devmounteddm-4=0: command not found
===========================================
removed:   /org/freedesktop/UDisks/devices/dm-4
===========================================
removed:   /org/freedesktop/UDisks/devices/dm-4
===========================================
changed:     /org/freedesktop/UDisks/devices/sdc1
===========================================
added:     /org/freedesktop/UDisks/devices/dm-4
===========================================
changed:     /org/freedesktop/UDisks/devices/sdc1
===========================================
changed:     /org/freedesktop/UDisks/devices/dm-4
/usr/bin/devmon: line 1099: devmounteddm-4=0: command not found

Offline

#115 2013-02-18 13:50:36

IgnorantGuru
Member
Registered: 2009-11-09
Posts: 640
Website

Re: udevil - mount without password, monitor udev [SpaceFM, devmon, CLI]

d912e3 wrote:

How can I mount a luksOpen'ed device with udevil and devmon, respectively?

Neither udevil nor devmon have any explicit support for encrypted devices currently, so you're kind of on your own here.  But devmon is just a bash script so is easily hacked.

The same happens if I add the UUID to allowed_internal_uuids. Only with the UUID allowed and explicitly added /dev/mapper/myluks to the allowed_devices, the mounting works.

The device likely appear internal to udevil, hence the need to add the UUID.  /dev/mapper/myluks is not normally an allowed device in udevil.conf (wildcards don't match slashes), hence the need to add it to allowed_devices.

Unfortunately, this is doesn't work with devmon (even with /dev/dm-4 allowed):

added:     /org/freedesktop/UDisks/devices/dm-4
===========================================
changed:     /org/freedesktop/UDisks/devices/dm-4
===========================================
changed:     /org/freedesktop/UDisks/devices/dm-4
/usr/bin/devmon: line 1099: devmounteddm-4=0: command not found
...

The command not found is because of the hyphen in the device name "dm-4".  You could convert the hyphen to an underline - which I'll do for the next release.  That may help somewhat.

Beyond that, devmon works with block devices, so it may not be getting the necessary device info from udevil in order to trigger a mount.  You'll need to explore this in the script.  Around line 1081 you'll see the criteria that triggers a mount attempt by devmon.

EDIT:  You also may need devmon --internal or hack the script to treate the luks device as external.  Otherwise devmon doesn't normally interact with internal devices.

Last edited by IgnorantGuru (2013-02-18 13:53:12)

Offline

#116 2013-02-19 05:52:49

ShadowKyogre
Member
From: Hell! XP No... I'm not telling
Registered: 2008-12-19
Posts: 476
Website

Re: udevil - mount without password, monitor udev [SpaceFM, devmon, CLI]

I'm not sure what happened, but udevil suddently stopped mounting any media I plugged in even though it's set to suid. The error I get is "udevil: error 103: no valid existing directory in allowed_media_dirs". However, this goes away if I directly run the udevil binary as root.

[EDIT]: It seems that the problem in question also goes away if I remove the faulty /run/media/$USER directory. Odd...

CLI session:

 _____/[shadowkyogre@AlpheTerra|21:48:49|Mon Feb 18 2013]\______________)
(_/[tmp]\_____________/(($)>--< ls -al /usr/bin/udevil 
-rwsr-xr-x 1 root root 189032 Feb 18 21:18 /usr/bin/udevil
 _____/[shadowkyogre@AlpheTerra|21:49:57|Mon Feb 18 2013]\______________)
(_/[tmp]\_____________/(($)>--< sudo ls -alR /run/media
[sudo] password for shadowkyogre: 
/run/media:
total 0
drwx------   4 root root  80 Feb 18 21:33 .
drwxr-xr-x  22 root root 560 Feb 18 21:10 ..
drwxr-x---+  2 root root  40 Feb 18 21:33 root
drwxr-x---+  2 root root  40 Feb 18 21:19 shadowkyogre

/run/media/root:
total 0
drwxr-x---+ 2 root root 40 Feb 18 21:33 .
drwx------  4 root root 80 Feb 18 21:33 ..

/run/media/shadowkyogre:
total 0
drwxr-x---+ 2 root root 40 Feb 18 21:19 .
drwx------  4 root root 80 Feb 18 21:33 ..
 _____/[shadowkyogre@AlpheTerra|21:51:04|Mon Feb 18 2013]\______________)
(_/[tmp]\_____________/(($)>--< udevil mount /dev/sdc1
udevil: error 103: no valid existing directory in allowed_media_dirs
 _____/[shadowkyogre@AlpheTerra|21:51:11|Mon Feb 18 2013]\______________)
(_/[tmp]\_____________/(($)>--< udevil --verbose mount /dev/sdc1
udevil: mkdir /run/media/shadowkyogre
udevil: /usr/bin/setfacl -m u:shadowkyogre:rx /run/media/shadowkyogre
udevil: error 103: no valid existing directory in allowed_media_dirs
 _____/[shadowkyogre@AlpheTerra|21:55:46|Mon Feb 18 2013]\______________)
(_/[tmp]\_____________/(($)>--< ls -al /usr/bin/setfacl 
-rwxr-xr-x 1 root root 32120 Apr 28  2012 /usr/bin/setfacl

/etc/udevil/udevil.conf

##############################################################################
#
# udevil configuration file    /etc/udevil/udevil.conf
#
# This file controls what devices, networks, and files users may mount and
# unmount via udevil (set suid).
# 
# IMPORTANT:  IT IS POSSIBLE TO CREATE SERIOUS SECURITY PROBLEMS IF THIS FILE
# IS MISCONFIGURED - EDIT WITH CARE
#
# Note:  For greater control for specific users, including root, copy this
# file to /etc/udevil/udevil-user-USERNAME.conf replacing USERNAME with the
# desired username (eg /etc/udevil/udevil-user-jim.conf).
#
# Format:
#   OPTION = VALUE[, VALUE, ...]
#
# DO NOT USE QUOTES except literally
# Lines beginning with # are ignored
#
##############################################################################


# To log all uses of udevil, set log_file to a file path:
# log_file = /var/log/udevil.log

# Approximate number of days to retain log entries (0=forever, max=60):
log_keep_days = 10


# allowed_types determines what fstypes can be passed by a user to the u/mount
# program, what device filesystems may be un/mounted implicitly, and what
# network filesystems may be un/mounted.
# It may also include the 'file' keyword, indicating that the user is allowed
# to mount files (eg an ISO file).  The $KNOWN_FILESYSTEMS variable may
# be included to include common local filesystems as well as those listed in
# /etc/filesystems and /proc/filesystems.
# allowed_types_USERNAME, if present, is used to override allowed_types for
# the specific user 'USERNAME'.  For example, to allow user 'jim' to mount
# only vfat filesystems, add:
# allowed_types_jim = vfat
# Setting allowed_types = * does NOT allow all types, as this is a security
# risk, but does allow all recognized types.
# allowed_types = $KNOWN_FILESYSTEMS, file, cifs, smbfs, nfs, curlftpfs, ftpfs, sshfs, davfs, tmpfs, ramfs
allowed_types = $KNOWN_FILESYSTEMS, file


# allowed_users is a list of users permitted to mount and unmount with udevil.
# Wildcards (* or ?) may be used in the usernames.  To allow all users,
# specify "allowed_users=*".  UIDs may be included using the form UID=1000.
# For example:  allowed_users = carl, UID=1000, pre*
# Also note that permission to execute udevil may be limited to users belonging
# to the group that owns /usr/bin/udevil, such as 'plugdev' or 'storage',
# depending on installation.
# allowed_users_FSTYPE, if present, is used to override allowed_users when
# mounting or unmounting a specific fstype (eg nfs, ext3, file).
# Note that when mounting a file, fstype will always be 'file' regardless of
# the internal fstype of the file.
# For example, to allow only user 'bob' to mount nfs shares, add:
# allowed_users_nfs = bob
# The root user is NOT automatically allowed to use udevil in some cases unless
# listed here (except for unmounting anything or mounting fstab devices).
allowed_users = *


# allowed_groups is a list of groups permitted to mount and unmount with
# udevil.  The user MUST belong to at least one of these groups.  Wildcards
# or GIDs may NOT be used in group names, but a single * may be used to allow
# all groups.
# Also note that permission to execute udevil may be limited to users belonging
# to the group that owns /usr/bin/udevil, such as 'plugdev' or 'storage',
# depending on installation.
# allowed_groups_FSTYPE, if present, is used to override allowed_groups when
# mounting or unmounting a specific fstype (eg nfs, ext3, file).  For example,
# to allow only members of the 'network' group to mount smb and nfs shares,
# use both of these lines:
# allowed_groups_smbfs = network
# allowed_groups_nfs = network
# The root user is NOT automatically allowed to use udevil in some cases unless
# listed here (except for unmounting anything or mounting fstab devices).
allowed_groups = *


# allowed_media_dirs specifies the media directories in which user mount points
# may be located.  The first directory which exists and does not contain a
# wildcard will be used as the default media directory (normally /media or
# /run/media/$USER).
# The $USER variable, if included, will be replaced with the username of the
# user running udevil.  Wildcards may also be used in any directory EXCEPT the
# default.  Wildcards will not match a /
# allowed_media_dirs_FSTYPE, if present, is used to override allowed_media_dirs
# when mounting or unmounting a specific fstype (eg ext2, nfs).  For example,
# to cause /media/network to be used as the default media directory for
# nfs and ftpfs mounts, use these two lines:
# allowed_media_dirs_nfs   = /media/network, /media, /run/media/$USER
# allowed_media_dirs_ftpfs = /media/network, /media, /run/media/$USER
# NOTE: If you want only the user who mounted a device to have access to it
# and be allowed to unmount it, specify /run/media/$USER as the first
# allowed media directory.
# IMPORTANT:  If an allowed file is mounted to a media directory, the user may
# be permitted to unmount its associated loop device even though internal.
# INCLUDING /MNT HERE IS NOT RECOMMENDED.  ALL ALLOWED MEDIA DIRECTORIES
# SHOULD BE OWNED AND WRITABLE ONLY BY ROOT.
allowed_media_dirs = /media, /run/media/$USER


# allowed_devices is the first criteria for what block devices users may mount
# or unmount.  If a device is not listed in allowed_devices, it cannot be
# un/mounted (unless in fstab).  However, even if a device is listed, other
# factors may prevent its use.  For example, access to system internal devices
# will be denied to normal users even if they are included in allowed_devices.  
# allowed_devices_FSTYPE, if present, is used to override allowed_devices when
# mounting or unmounting a specific fstype (eg ext3, ntfs).  For example, to
# prevent all block devices containing an ext4 filesystem from being
# un/mounted use:
# allowed_devices_ext4 =
# Note: Wildcards may be used, but a wildcard will never match a /, except
# for "allowed_devices=*" which allows any device.  The recommended setting is
# allowed_devices = /dev/*
# WARNING:  ALLOWING USERS TO MOUNT DEVICES OUTSIDE OF /dev CAN CAUSE SERIOUS
# SECURITY PROBLEMS.  DO NOT ALLOW DEVICES IN /dev/shm
allowed_devices = /dev/*


# allowed_internal_devices causes udevil to treat any listed block devices as
# removable, thus allowing normal users to un/mount them (providing they are
# also listed in allowed_devices).
# allowed_internal_devices_FSTYPE, if present, is used to override
# allowed_internal_devices when mounting or unmounting a specific fstype
# (eg ext3, ntfs).  For example, to allow block devices containing a vfat
# filesystem to be un/mounted even if they are system internal devices, use:
# allowed_internal_devices_vfat = /dev/sdb*
# Some removable esata drives look like internal drives to udevil.  To avoid
# this problem, they can be treated as removable with this setting.
# WARNING:  SETTING A SYSTEM DEVICE HERE CAN CAUSE SERIOUS SECURITY PROBLEMS.
# allowed_internal_devices =


# allowed_internal_uuids and allowed_internal_uuids_FSTYPE work similarly to
# allowed_internal_devices, except that UUIDs are specified instead of devices.
# For example, to allow un/mounting of an internal filesystem based on UUID:
# allowed_internal_uuids = cc0c4489-8def-1e5b-a304-ab87c3cb626c0
# WARNING:  SETTING A SYSTEM DEVICE HERE CAN CAUSE SERIOUS SECURITY PROBLEMS.
# allowed_internal_uuids = 


# forbidden_devices is used to prevent block devices from being un/mounted
# even if other settings would allow them (except devices in fstab).
# forbidden_devices_FSTYPE, if present, is used to override
# forbidden_devices when mounting or unmounting a specific fstype
# (eg ext3, ntfs).  For example, to prevent device /dev/sdd1 from being
# mounted when it contains an ntfs filesystem, use:
# forbidden_devices_ntfs = /dev/sdd1
# NOTE: device node paths are canonicalized before being tested, so forbidding
# a link to a device will have no effect.
forbidden_devices =


# allowed_networks determines what hosts may be un/mounted by udevil users when
# using nfs, cifs, smbfs, curlftpfs, ftpfs, or sshfs.  Hosts may be specified
# using a hostname (eg myserver.com) or IP address (192.168.1.100).
# Wildcards may be used in hostnames and IP addresses, but CIDR notation 
# (192.168.1.0/16) is NOT supported.  IP v6 is supported.  For example:
# allowed_networks = 127.0.0.1, 192.168.1.*, 10.0.0.*, localmachine, *.okay.com
# Or, to prevent un/mounting of any network shares, set:
# allowed_networks =
# allowed_networks_FSTYPE, if present, is used to override allowed_networks
# when mounting or unmounting a specific network fstype (eg nfs, cifs, sshfs,
# curlftpfs).  For example, to limit nfs and samba shares to only local
# networks, use these two lines:
# allowed_networks_nfs = 192.168.1.*, 10.0.0.*
# allowed_networks_cifs = 192.168.1.*, 10.0.0.*
allowed_networks = *


# forbidden_networks and forbidden_networks_FSTYPE are used to specify networks
# that are never allowed, even if other settings allow them (except fstab).
# NO REVERSE LOOKUP IS PERFORMED, so including bad.com will only have an effect
# if the user uses that hostname.  IP lookup is always performed, so forbidding
# an IP address will also forbid all corresponding hostnames.
forbidden_networks = 


# allowed_files is used to determine what files in what directories may be
# un/mounted.  A user must also have read permission on a file to mount it.
# Note: Wildcards may be used, but a wildcard will never match a /, except
# for "allowed_files=*" which allows any file.  For example, to allow only
# files in the /share directory to be mounted, use:
# allowed_files = /share/*
# NOTE:  Specifying allowed_files_FSTYPE will NOT work because the fstype of
# files is always 'file'.
allowed_files = *


# forbidden_files is used to specify files that are never allowed, even if
# other settings allow them (except fstab).  Specify a full path.
# Note: Wildcards may be used, but a wildcard will never match a /, except
# for "forbidden_files = *".
# NOTE: file paths are canonicalized before being tested, so forbidding
# a link to a file will have no effect.
forbidden_files = 


# default_options specifies what options are always included when performing
# a mount, in addition to any options the user may specify.
# Note:  When a device is present in /etc/fstab, and the user does not specify
# a mount point, the device is mounted with normal user permissions using
# the fstab entry, without these options.
# default_options_FSTYPE, if present, is used to override default_options
# when mounting a specific fstype (eg ext2, nfs).
# The variables $USER, $UID, and $GID are changed to the user's username, UID,
# and GID.
# FOR GOOD SECURITY, default_options SHOULD ALWAYS INCLUDE: nosuid,noexec,nodev
# WARNING:  OPTIONS PRESENT OR MISSING CAN CAUSE SERIOUS SECURITY PROBLEMS.
default_options           = nosuid, noexec, nodev, noatime
default_options_file      = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID, ro
# mount iso9660 with 'ro' to prevent mount read-only warning
default_options_iso9660   = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID, ro, utf8
default_options_udf       = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID
default_options_vfat      = nosuid, noexec, nodev, noatime, fmask=0022, dmask=0022, uid=$UID, gid=$GID, utf8
default_options_msdos     = nosuid, noexec, nodev, noatime, fmask=0022, dmask=0022, uid=$UID, gid=$GID
default_options_umsdos    = nosuid, noexec, nodev, noatime, fmask=0022, dmask=0022, uid=$UID, gid=$GID
default_options_ntfs      = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID, utf8
default_options_cifs      = nosuid, noexec, nodev, uid=$UID, gid=$GID
default_options_smbfs     = nosuid, noexec, nodev, uid=$UID, gid=$GID
default_options_sshfs     = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID, nonempty, allow_other
default_options_curlftpfs = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID, nonempty, allow_other
default_options_ftpfs     = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID
default_options_davfs     = nosuid, noexec, nodev, uid=$UID, gid=$GID
default_options_tmpfs     = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID
default_options_ramfs     = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID


# allowed_options determines all options that a user may specify when mounting.
# All the options used in default_options above must be included here too, or
# they will be rejected.  If the user attempts to use an option not included
# here, an error will result.  Wildcards may be used.
# allowed_options_FSTYPE, if present, is used to override allowed_options
# when mounting a specific fstype (eg ext2, nfs).
# The variables $USER, $UID, and $GID are changed to the user's username, UID,
# and GID.
# If you want to forbid remounts, remove 'remount' from here.
# WARNING:  OPTIONS HERE CAN CAUSE SERIOUS SECURITY PROBLEMS - CHOOSE CAREFULLY
allowed_options           = nosuid, noexec, nodev, noatime, fmask=0022, dmask=0022, uid=$UID, gid=$GID, ro, rw, sync, flush, iocharset=*, utf8, remount
allowed_options_nfs       = nosuid, noexec, nodev, noatime, ro, rw, sync, remount, port=*, rsize=*, wsize=*, hard, proto=*, timeo=*, retrans=*
allowed_options_cifs      = nosuid, noexec, nodev, ro, rw, remount, port=*, user=*, username=*, pass=*, password=*, guest, domain=*, uid=$UID, gid=$GID, credentials=*
allowed_options_smbfs     = nosuid, noexec, nodev, ro, rw, remount, port=*, user=*, username=*, pass=*, password=*, guest, domain=*, uid=$UID, gid=$GID, credentials=*
allowed_options_sshfs     = nosuid, noexec, nodev, noatime, ro, rw, uid=$UID, gid=$GID, nonempty, allow_other, idmap=user, BatchMode=yes, port=*
allowed_options_curlftpfs = nosuid, noexec, nodev, noatime, ro, rw, uid=$UID, gid=$GID, nonempty, allow_other, user=*
allowed_options_ftpfs     = nosuid, noexec, nodev, noatime, ro, rw, port=*, user=*, pass=*, ip=*, root=*, uid=$UID, gid=$GID


# mount_point_mode, if present and set to a non-empty value, will cause udevil
# to set the mode (permissions) on the moint point after mounting  If not
# specified or if left empty, the mode is not changed.  Mode must be octal
# starting with a zero (0755).
# mount_point_mode_FSTYPE, if present, is used to override mount_point_mode
# when mounting a specific fstype (eg ext2, nfs).
# NOT SETTING A MODE CAN HAVE SECURITY IMPLICATIONS FOR SOME FSTYPES
mount_point_mode = 0755
# don't set a mode for some types:
mount_point_mode_sshfs =
mount_point_mode_curlftpfs =
mount_point_mode_ftpfs =


# Use the settings below to change the default locations of programs used by
# udevil, or (advanced topic) to redirect commands to your scripts.
# When substituting scripts, make sure they are root-owned and accept the
# options used by udevil (for example, the mount_program must accept --fake,
# -o, -v, and other options valid to mount.)
# Be sure to specify the full path and include NO OPTIONS or other arguments.
# These programs may also be specified as configure options when building
# udevil.
# THESE PROGRAMS ARE RUN AS ROOT
# mount_program   = /bin/mount
# umount_program  = /bin/umount
# losetup_program = /sbin/losetup
# setfacl_program = /usr/bin/setfacl


# validate_exec specifies a program or script which provides additional
# validation of a mount or unmount command, beyond the checks performed by
# udevil.  The program is run as a normal user (if root runs udevil,
# validate_exec will NOT be run).  The program is NOT run if the user is
# mounting a device without root priviledges (a device in fstab).
# The program is passed the username, a printable description of what is
# happening, and the entire udevil command line as the first three arguments.
# The program must return an exit status of 0 to allow the mount or unmount
# to proceed.  If it returns non-zero, the user will be denied permission.
# For example, validate_exec might specify a script which notifies you
# of the command being run, or performs additional steps to authenticate the
# user.
# Specify a full path to the program, with NO options or arguments.
# validate_exec =


# validate_rootexec works similarly to validate_exec, except that the program
# is run as root.  validate_rootexec will also be run if the root user runs
# udevil.  If both validate_exec and validate_rootexec are specified, 
# validate_rootexec will run first, followed by validate_exec.
# The program must return an exit status of 0 to allow the mount or unmount
# to proceed.  If it returns non-zero, the user will be denied permission.
# Unless you are familiar with writing root scripts, it is recommended that
# rootexec settings NOT be used, as it is easy to inadvertently open exploits.
# THIS PROGRAM IS ALWAYS RUN AS ROOT, even if the user running udevil is not.
# validate_rootexec =


# success_exec is run after a successful mount, remount, or unmount.  The 
# program is run as a normal user (if root runs udevil, success_exec
# will NOT be run).
# The program is passed the username, a printable description of what action
# was taken, and the entire udevil command line as the first three arguments.
# The program's exit status is ignored.
# For example, success_exec might run a script which informs you of what action
# was taken, and might perform further actions.
# Specify a full path to the program, with NO options or arguments.
# success_exec =


# success_rootexec works similarly to success_exec, except that the program is
# run as root.  success_rootexec will also be run if the root user runs udevil.
# If both success_exec and success_rootexec are specified,  success_rootexec
# will run first, followed by success_exec.
# Unless you are familiar with writing root scripts, it is recommended that
# rootexec settings NOT be used, as it is easy to inadvertently open exploits.
# THIS PROGRAM IS ALWAYS RUN AS ROOT, even if the user running udevil is not.
# success_rootexec =

Last edited by ShadowKyogre (2013-02-19 06:13:35)


For every problem, there is a solution that is:
Clean
Simple and most of all...wrong!
Github page

Offline

#117 2013-02-19 12:31:37

IgnorantGuru
Member
Registered: 2009-11-09
Posts: 640
Website

Re: udevil - mount without password, monitor udev [SpaceFM, devmon, CLI]

ShadowKyogre wrote:
/run/media:
total 0
drwx------   4 root root  80 Feb 18 21:33 .

It's looks like only root has permission to access /run/media/  Thus your user cannot access /run/media/shadowkyogre, hence the error.  Your user must have access to the media dir udevil is using (eg /run/media/)  Not sure how /run/media would have gotten setup like that on your system.  I would try:

# chmod go+rx /run /run/media

Offline

#118 2013-02-19 21:58:00

ShadowKyogre
Member
From: Hell! XP No... I'm not telling
Registered: 2008-12-19
Posts: 476
Website

Re: udevil - mount without password, monitor udev [SpaceFM, devmon, CLI]

IgnorantGuru wrote:

It's looks like only root has permission to access /run/media/  Thus your user cannot access /run/media/shadowkyogre, hence the error.  Your user must have access to the media dir udevil is using (eg /run/media/)  Not sure how /run/media would have gotten setup like that on your system.  I would try:

# chmod go+rx /run /run/media

I'm not exactly sure how /run/media got set up like that either that day, but it works now thanks to your tip! Thanks! big_smile

Last edited by ShadowKyogre (2013-02-19 21:58:25)


For every problem, there is a solution that is:
Clean
Simple and most of all...wrong!
Github page

Offline

#119 2014-04-21 10:40:38

Heikete
Member
Registered: 2007-04-28
Posts: 40

Re: udevil - mount without password, monitor udev [SpaceFM, devmon, CLI]

Hi!
I'm joining the thread, with small problem. There has to be some change in udevil behaviour.
I'd been using the fantastic rule by berz_ for udev, but it stopped to recognize switched user,
which is done by sudo. Here is the rule (appeard in this thread):

$ cat /etc/udev/rules.d/99-automount.rules
ACTION=="add", KERNEL=="sd[b-z][1-9]", RUN+="/usr/bin/sudo -u heikete /usr/bin/udevil mount /dev/%k -o sync"
ACTION=="remove", KERNEL=="sd[b-z][1-9]", RUN+="/usr/bin/sudo -u heikete /usr/bin/udevil umount /dev/%k"

Devices are mounted with 700 permission granted on directories. With user==root and group=users
of course only root can access the files.

Why is sudo -u ignored?

Offline

#120 2014-04-21 14:37:47

anonymous_user
Member
Registered: 2009-08-28
Posts: 3,059

Re: udevil - mount without password, monitor udev [SpaceFM, devmon, CLI]

Why are you even using a udev rule for mounting devices? Just use devmon (included in udevil package).

Offline

#121 2014-08-16 11:35:33

oliver
Member
Registered: 2007-12-12
Posts: 448

Re: udevil - mount without password, monitor udev [SpaceFM, devmon, CLI]

In the PKGBUILD for udevil is the following line

backup=('etc/udevil/udevil.conf')

Any reason why it doesn't include /etc/conf.d/devmon too?  Any changes to it get wiped out on a pkg re-install

Offline

#122 2015-07-11 22:20:26

Cavsfan
Member
From: USA
Registered: 2015-07-08
Posts: 101

Re: udevil - mount without password, monitor udev [SpaceFM, devmon, CLI]

Thank you!

I was finally able to automount my 1TB USB drive at boot with this simple command added to Session and Startup in Xcfe:

udevil mount /dev/sdb1

This was after I installed udevil. I like the name lol!
The name of the drive was listed as /run/media/cavsfan/Fantom when I manually mounted it but now it is just /media/Fantom/.

I have a conky that shows the ram, the partition that Ach is installed on and the Fantom drive and their usage but I could not get it to automount until now.
It looks beautiful now.
smile

Offline

#123 2015-08-14 16:16:03

Cavsfan
Member
From: USA
Registered: 2015-07-08
Posts: 101

Re: udevil - mount without password, monitor udev [SpaceFM, devmon, CLI]

Wonder why my windows drive cannot be mounted with this command:

udevil mount -o ro /dev/sda1

The only thing that will work is if it is sudo is prepended to the command.

I just set up an alias for it but need to enter my password of course.

I think it did work the first day I added it as a startup command in Xcfe but not since.

Offline

#124 2015-08-15 12:28:37

IgnorantGuru
Member
Registered: 2009-11-09
Posts: 640
Website

Re: udevil - mount without password, monitor udev [SpaceFM, devmon, CLI]

Cavsfan wrote:

Wonder why my windows drive cannot be mounted with this command:

First, you should include the error message from udevil, and add --verbose if you need more information.  It's probably telling you why it's not mounting it.

If /dev/sda1 is an internal drive, users won't be allowed to mount it unless you add it to allowed_internal_devices in /etc/udevil/udevil.conf.  Note that allowing users to mount and unmount internal drives that are used for the system can erode security.  udevil is generally made for external, removable devices.  Also note that esata drives may appear internal to udev even if they are external, so you may need to add them to allowed_internal_devices.

Also note that if /dev/sda1 is included in fstab (by name or uuid), udevil will simply run mount as the normal user, in which case you may want to add the 'user' option in fstab to allow users to mount that device.

Last edited by IgnorantGuru (2015-08-15 12:35:08)

Offline

#125 2015-08-15 18:55:29

Cavsfan
Member
From: USA
Registered: 2015-07-08
Posts: 101

Re: udevil - mount without password, monitor udev [SpaceFM, devmon, CLI]

IgnorantGuru wrote:
Cavsfan wrote:

Wonder why my windows drive cannot be mounted with this command:

First, you should include the error message from udevil, and add --verbose if you need more information.  It's probably telling you why it's not mounting it.

If /dev/sda1 is an internal drive, users won't be allowed to mount it unless you add it to allowed_internal_devices in /etc/udevil/udevil.conf.  Note that allowing users to mount and unmount internal drives that are used for the system can erode security.  udevil is generally made for external, removable devices.  Also note that esata drives may appear internal to udev even if they are external, so you may need to add them to allowed_internal_devices.

Also note that if /dev/sda1 is included in fstab (by name or uuid), udevil will simply run mount as the normal user, in which case you may want to add the 'user' option in fstab to allow users to mount that device.

It returns a normal error I believe.

$ udevil mount --verbose -o ro /dev/sda1
udevil: denied 88: device /dev/sda1 is an internal device and you're not root

Here it is listed in blkid:

$ sudo blkid
/dev/sda1: LABEL="C:" UUID="1CFC7A8DFC7A60C6" TYPE="ntfs" PARTUUID="a55f55ec-01"

If I add

allowed_internal_devices_vfat = /dev/sda1

to /etc/udevil/udevil.conf would it be ok to mount it with the read only command I posted at Xcfe startup?:

udevil mount -o ro /dev/sda1

I definitely want it to be read only because I know what can happen if you write to the Windows partition from a Linux system.

Been there and done that and don't want to go there again.

I do really like how Arch is very protective over other partitions but I may occasionally need to access the C: drive partition read only as needed.

I'll wait until I hear back before I make any changes as I am in no hurry.

Thank you kindly!!! smile

Edit: Forgot to mention that it is not in /etc/fstab, just the Arch and swap partitions are.

Last edited by Cavsfan (2015-08-15 18:57:12)

Offline

Board footer

Powered by FluxBB