[Nix-dev] Re: [Nix-commits] SVN commit: nix - 19185 - NicolasPierron - in nixos/trunk/modules: . security
Eelco Dolstra
e.dolstra at tudelft.nl
Sun Jan 3 15:42:13 CET 2010
Hi,
Nicolas Pierron wrote:
> + security.setuidPrograms = [ "pmount" "pumount" ];
Adding pmount to NixOS may not be such a good idea since NixOS already supports
non-root mounting through HAL. For instance, in KDE 4 you can just click on a
USB stick to mount it. This is more secure because it doesn't involve setuid
binaries (but rather involves sending a message to HAL over the system message
bus) and it obeys the security policies defined in PolicyKit. The only downside
is that we don't have a command-line interface to this yet (other than
dbus-send). Unmounting from the command line does work, because HAL provides a
umount helper.
There seem to be some scripts to do command-line mounts using HAL, e.g.
http://www.datapax.com.au/apps/halmount/
PS: in any case pmount shouldn't be defined in the pam_usb module because it has
nothing to do with pam_usb (right?)
--
Eelco Dolstra | http://www.st.ewi.tudelft.nl/~dolstra/
More information about the nix-dev
mailing list