Solved Users not allowed to use USB keys?

obsigna said:
Well, I entered this thread, and you almost brought me near to a heart attack. I am shipping electrochemical laboratory equipment and the controlling device and data acquisition is done by a PC operated by FreeBSD 12 with the GNOME3 desktop environment. I rely on the functionality of USB removable media plugged-in by end users, because most customers don’t let these systems into their LAN, and without that, the scientists would need to use a ball pen to transcribe megabytes of measurement data from the screen, won’t they?

I tried it once again - and of course it works. A normal user can plugin a USB drive, GNOME does mount it as the user who is logged-in, and we can get hands on our data. So what you’re talking about? Here comes the evidence photo. A USB pendrive named Daten just plugged-in to the Desktop system, when user rolf was logged-in.

Media be mounted only be root? Come on, this is an April fool joke from nerdistan. I do this since the 90th with all my desktop systems, mostly Mac's (some Windows'). Personally, I use FreeBSD not as a desktop but as a server OS, and with that it never made a difference, because I login as root anyway.
Click to expand...
This sounds like you're talking about an appliance, not a lab environment. However, KDE, Gnome, XFCE, etc., will all allow you to automount if you desire. Nobody said you couldn't do it. It's even possible to set it up for a server. The security folks take issue with the idea, personally, I don't care either way. However, sometimes automount annoys me, particularly when I am trying to do low level work with the USB.
 
I'll save you the trouble of making a fool of yourself and do it myself in a more Professional manner, better suited for a UNIX smart aleck":

"an obnoxiously conceited and self-assertive person with pretensions to smartness or cleverness"

And this forum than you would have gotten had you answered quickly.

obsigna said:
Well, I entered this thread, and you almost brought me near to a heart attack. I am shipping electrochemical laboratory equipment and the controlling device and data acquisition is done by a PC operated by FreeBSD 12 with the GNOME3 desktop environment. I rely on the functionality of USB removable media plugged-in by end users, because most customers don’t let these systems into their LAN, and without that, the scientists would need to use a ball pen to transcribe megabytes of measurement data from the screen, won’t they?
Click to expand...
Wonder why they won't allow those systems onto their LAN and you will allow them to insert their USB stick onto a Company machine? Is your Supervisor aware of this? Because they should be, and if they are and that is permissible? I'm glad it's not my Company.

Allow me to quote the same thing I did above from the FreeBSD Handbook, twice, since it is the Handbook:

Allowing untrusted users to mount arbitrary media, by enabling vfs.usermount as described below, should not be considered safe from a security point of view. Most file systems were not built to safeguard against malicious devices.
Click to expand...

obsigna said:
I tried it once again - and of course it works. A normal user can plugin a USB drive, GNOME does mount it as the user who is logged-in, and we can get hands on our data. So what you’re talking about? Here comes the evidence photo. A USB pendrive named Daten just plugged-in to the Desktop system, when user rolf was logged-in.
Click to expand...
Here come the facts.

Right below that it states:

To make the device mountable as a normal user, one solution is to make all users of the device a member of the operator group using pw(8). Next, ensure that operator is able to read and write the device by adding these lines to /etc/devfs.rules:
[localrules=5]
add path 'da*' mode 0660 group operator
Click to expand...

From the same /etc/devfs.rules file listed on my Tutorial:

"Copy this text into leafpad:

[devfsrules_common=7]
add path 'da*' mode 0666 group operator

And save it as /etc/devfs.rules

That's in the /etc directory, the filename is devfs.rules
Now enter the following commands:

echo 'devd_enable="YES"' >> /etc/rc.conf
echo 'devfs_system_ruleset="devfsrules_common"' >> /etc/rc.conf"

I'm already out of compliance in my naming of rules with steps outlined to allow a usr to mount USB drives, and where my Policy begins:

jitte@bakemono:~ $ df -h
Filesystem Size Used Avail Capacity Mounted on
/dev/ada0s1a 447G 120G 291G 29% /
devfs 1.0K 1.0K 0B 100% /dev
linprocfs 4.0K 4.0K 0B 100% /compat/linux/proc
linsysfs 4.0K 4.0K 0B 100% /compat/linux/sys
devfs 1.0K 1.0K 0B 100% /compat/linux/dev
fdescfs 1.0K 1.0K 0B 100% /compat/linux/dev/fd
tmpfs 4.8G 4.0K 4.8G 0% /compat/linux/dev/shm
jitte@bakemono:~ $ groups jitte
jitte wheel operator
jitte@bakemono:~ $ mount -v -t msdosfs /dev/da0s1 /media/da0s1
mount_msdosfs: /dev/da0s1: Operation not permitted
/dev/ada0s1a on / (ufs, local, journaled soft-updates, writes: sync 5733 async 26285, reads: sync 274443 async 36174)
jitte@bakemono:~ $ df -h
Filesystem Size Used Avail Capacity Mounted on
/dev/ada0s1a 447G 120G 291G 29% /
devfs 1.0K 1.0K 0B 100% /dev
linprocfs 4.0K 4.0K 0B 100% /compat/linux/proc
linsysfs 4.0K 4.0K 0B 100% /compat/linux/sys
devfs 1.0K 1.0K 0B 100% /compat/linux/dev
fdescfs 1.0K 1.0K 0B 100% /compat/linux/dev/fd
tmpfs 3.9G 4.0K 3.9G 0% /compat/linux/dev/shm
jitte@bakemono:~ $ su
Password:
root@bakemono:/home/jitte # cd /
root@bakemono:/ # mount -v -t msdosfs /dev/da0s1 /media/da0s1
/dev/da0s1 on /media/da0s1 (msdosfs, local, writes: sync 1 async 0, reads: sync 3667 async 0, fsid c700000032000000)
root@bakemono:/ # df -h
Filesystem Size Used Avail Capacity Mounted on
/dev/ada0s1a 447G 120G 291G 29% /
devfs 1.0K 1.0K 0B 100% /dev
linprocfs 4.0K 4.0K 0B 100% /compat/linux/proc
linsysfs 4.0K 4.0K 0B 100% /compat/linux/sys
devfs 1.0K 1.0K 0B 100% /compat/linux/dev
fdescfs 1.0K 1.0K 0B 100% /compat/linux/dev/fd
tmpfs 3.9G 4.0K 3.9G 0% /compat/linux/dev/shm
/dev/da0s1 115G 98G 16G 86% /media/da0s1
root@bakemono:/ # exit
exit
jitte@bakemono:~ $ umount -v -t msdosfs /dev/da0s1 /media/da0s1
umount: unmount of /media/da0s1 failed: Operation not permitted
umount: unmount of /media/da0s1 failed: Operation not permitted
jitte@bakemono:~ $ su
Password:
root@bakemono:/home/jitte # mount -v -t msdosfs /dev/da0s1 /media/da0s1
mount_msdosfs: /dev/da0s1: Device busy
/dev/da0s1 on /media/da0s1 (msdosfs, local, writes: sync 1 async 1, reads: sync 3667 async 0, fsid c700000032000000)
root@bakemono:/home/jitte # df -h
Filesystem Size Used Avail Capacity Mounted on
/dev/ada0s1a 447G 120G 291G 29% /
devfs 1.0K 1.0K 0B 100% /dev
linprocfs 4.0K 4.0K 0B 100% /compat/linux/proc
linsysfs 4.0K 4.0K 0B 100% /compat/linux/sys
devfs 1.0K 1.0K 0B 100% /compat/linux/dev
fdescfs 1.0K 1.0K 0B 100% /compat/linux/dev/fd
tmpfs 4.0G 4.0K 4.0G 0% /compat/linux/dev/shm
/dev/da0s1 115G 98G 16G 86% /media/da0s1
root@bakemono:/home/jitte # exit
exit
jitte@bakemono:~ $ xfe


Here comes the evidence I can transfer files from that root mounted USB stick from my usr account onto my usr account file manager with my permissions. Do I really need to show two shots to show the file in that Directory afterwards?

file_transfer.png


obsigna said:
Media be mounted only be root? Come on, this is an April fool joke from nerdistan. I do this since the 90th with all my desktop systems, mostly Mac's (some Windows'). Personally, I use FreeBSD not as a desktop but as a server OS, and with that it never made a difference, because I login as root anyway.
Click to expand...

Mostly Mac's and Windows. Doesn't use FreeBSD as a desktop and logs in as root to work instead of logging into the usr account and issuing su to become root.

I won't degrade you further. You've done a fine job of it yourself.

Now if you would like the Psycho Psychologist response, there is only one turn left you in Xanados Speed Chess. Make it a good one and be as brutally honest and verbose as possible, please.
 
Last edited by a moderator:
obsigna said:
Media be mounted only be root? Come on, this is an April fool joke from nerdistan. I do this since the 90th with all my desktop systems, mostly Mac's (some Windows'). Personally, I use FreeBSD not as a desktop but as a server OS, and with that it never made a difference, because I login as root anyway.
Click to expand...
Now who's April fooling? Login as root? That's a recipe for disaster. I'm sure you're exceptional about being careful to type rm -fr ./* rather than rm -fr /* or rm .* from /, but us normal folks aren't so sure about ourselves. Anything can happen when you're root. Better to become root for a brief time than to be root all the time. Or are you just trolling?
 
My FreeBSD servers are set up in a way that these run without any nanny interferences by me. So in the rare occasions, when I need to login, for example to start a software update, I am root only for a brief time, and when the work is done, which can only be done by root anyway, then I logout, so what? I wish good luck to everybody who needs to adjust their servers the whole day as non superuser, please go ahead, this is not my problem.

On my other desktop systems I am not working as root, and I even don’t want to become root for transferring data via a removable media. The point here is, that this does automatically work on macOS, Windows and as I TOLD YOU on FreeBSD desktop systems as well, and without any hassle. On my GNOME systems the user 'rolf' is not member of the 'operator' group and vfs.usermount is set to 0. My complaint now is, that you "experts" ventilated a hell a lot of your security nightmares instead of just giving the correct answer, which again is: IT SIMPLY DOES WORK (FULL STOP)
 
obsigna said:
My FreeBSD servers are set up in a way that these run without any nanny interferences by me. So in the rare occasions, when I need to login, for example to start a software update, I am root only for a brief time
Click to expand...
I assume you understand what you are doing. I couldn't quite work out if you were running X11 programs as root. This is generally discouraged because X11 is generally seen as too complex to audit this kind of use. Some applications artificially do not run if they detect root. I think this is even more important with big heavy toolkits like Gtk and Qt. Those have never been written with security in mind.

If it is CLI, then yeah, I agree that logging in as root is pretty safe. Though frankly just a simple sudo su - is probably just as easy at this point.

Basically, for any beginners out there... it is not recommended to log in to an X11 GUI session as root.
 
And I told you that you only had one move left in Xanados Speed Chess.
obsigna said:
On my other desktop systems I am not working as root, and I even don’t want to become root for transferring data via a removable media. The point here is, that this does automatically work on macOS, Windows and as I TOLD YOU on FreeBSD desktop systems as well, and without any hassle. On my GNOME systems the user 'rolf' is not member of the 'operator' group and vfs.usermount is set to 0. My complaint now is, that you "experts" ventilated a hell a lot of your security nightmares instead of just giving the correct answer, which again is: IT SIMPLY DOES WORK (FULL STOP)
Click to expand...
It doesn't matter if you shout it, scream it, stomp your feet about it, shake your fist and cry about it.

That is your in-expert opinion and you have no idea what the "correct" answer is, as proved by the Handbook and your own little tantrum party. ??
 
mikethe1wheelnut said:
..Oh boy.. ..woaw!.. just hold on there a minute! ..I now have this sudden intense conviction that you have a wildly mis-placed idea of who I am and what my motivations are. I'm -not- asking to use your services! I have -no- idea who you are, and no idea what your computers are supposed to be used for! It's looking now like you work for (or more likely own your own) super-secret research facility.. so yes, in that case, -definite- cultural divide.. :-S
Click to expand...
Please do me, us -- and yourself -- a favour and stop trying to break into Trihexagonal's home lab -- IMMEDIATELY, NOW. He's our high priest of the BeaSD. Don't try to outsmart the wizzards...
 
Mjölnir said:
Please do me, us -- and yourself -- a favour and stop trying to break into Trihexagonal's home lab -- IMMEDIATELY, NOW. He's our high priest of the BeaSD. Don't try to outsmart the wizzards...
Click to expand...
As for him being the high-priest, you don't have to work that hard to convince me of that! :-D If I ever have a data-center administrator job to hand out, he'll be top of the list! ..the only delay will come from the time it takes to build the fortress necessary to ensure that nobody "accidentally" wanders into his territory (uninvited).. :-S
 
I use Xfce and it has a service which runs that mounts removable media and puts an icon on the desktop.
gvfs-automount

I just thought I would throw that out there. It is an option for using USB disks as a non-root user.
All you need to do is HAL_enable="YES" in /etc/rc.conf on Xfce.

I find it annoying and don't like automounting.
 
You must log in or register to reply here.
Back
Top