Is ConsoleKit needed for systemd system?

davidshen84 · Guru Joined: 09 Aug 2008 Posts: 314

Hi,

My system is Gentoo 64 bit, with systemd and Plasma 5. After a recent update I noticed the USB drives on my user session are mounted with root permission...hence I do not have write access. At https://forums.gentoo.org/viewtopic-t-1038986-start-0.html, people talked about polikit and consolekit. But I am not sure which one should I choose.

My user is in plugdev group. My emerge --info shows I do not have consolekit in my USE.
_________________
David Shen

Logicien · Posted: Fri Sep 16, 2016 5:22 pm Post subject:

Hello,

to use Usb keys and any mass devices with a normal user, I put him in the disk group. I am with Systemd and even if Consolekit service is disabled, some services can start it. To prevent Consolekit to conflict with Logind of Systemd, I have unmerged Consolekit. No package depend on it because it have not been pulled in by Emerge later. Some installed packages depend on Polkit, including Systemd, so it must stay install.
_________________
Paul

Buffoon · Veteran Joined: 17 Jun 2015 Posts: 1369 Location: EU or US

User in disk group is plain wrong security wise.

Logicien · Posted: Fri Sep 16, 2016 5:32 pm Post subject:

What else?
_________________
Paul

Hu · Moderator Joined: 06 Mar 2007 Posts: 21602

In some configurations, including mine, which I believe to be the default configuration, the block device nodes representing mass storage have group disk and mode 660. A user in group disk would be able to write directly to the mass storage, bypassing the filesystem driver and all security controls. This is very dangerous and should never be done on a production system.

Logicien · Posted: Sat Sep 17, 2016 12:32 pm Post subject:

I understand the security issue. If you dont put a user in the disk group, to give him access to a mass media device like a Usb key, I see only change the group manually on the device file to a group the user is only in, like his basic group. This way, you can give read and write access to only one mass media and one user at a time.

With Xfce4, some filesystems can be mount in read only via Thunar. I see no option for read and write. For example, using a Usb key with read and write access in VirtualBox, a user need to be in the disk group or the permissions must be change manually by root, like create a Udev rule. This is not difficult to do. Is this the only way to be selective on mass media permissions?
_________________
Paul

Hu · Moderator Joined: 06 Mar 2007 Posts: 21602

I think there is something very wrong with whatever tool is mounting these devices for you. Hopefully, it is a configuration problem. You should not need to change the ownership of the block device or the groups of the user. The mounting tool should be configured to set the permissions of the mounted filesystem to allow your user to access it. It should not propagate the block device group ID to the mounted filesystem. Your user should never have direct write access to the block device, even if you give the user full write access to all files on the mounted filesystem.

Logicien · Posted: Sat Sep 17, 2016 5:36 pm Post subject:

No of my regular users need to mount anything. I don't use any desktop environment disks and medias access features. Everything is mount at boot by root via fstab, samba and autofs with write access only on one share data filesystem.

The reason why I need read write access for a normal user on mass medias is VirtualBox and Qemu. Without being in the disk group I can do nothing with my hard disks virtually. I do not like the idea of manipulating permissions otherwise at all. An alternative may be to use sudo with VirtualBox and Qemu.
_________________
Paul

Hu · Moderator Joined: 06 Mar 2007 Posts: 21602

That makes sense for scenarios where everything you run is completely trusted (but at that point, why not run everything as root?), but is unfortunately irrelevant to the original poster. OP stated that the filesystems are mounted and that the permissions visible on the mounted filesystem are not what he needs. You recommended a change that is a security problem for that use case (and unlikely to fix it), but solves an unrelated problem that OP does not have.

Buffoon · Veteran Joined: 17 Jun 2015 Posts: 1369 Location: EU or US

User in disk group can write to _all_ drives, bypassing the permissions. Including the root filesystem.

Logicien · Posted: Sat Sep 17, 2016 6:28 pm Post subject:

Hu,

you are right, a part of my initial post solution is not relevant for davidshen84 problem unless what we have discuss is usefull for him in a way.

Buffoon,

what you say is right too, what you do in fstab, I do it through autofs for CD/DVD. For Usb keys and Sd cards, their partitions tables are changing too often to automount or premount them unless I use a script.
_________________
Paul