Miglior metodo per montare come utente normale

[Buntolo]

In questi giorni sto configurando la nuova installazione di arch sul "nuovo" fisso, da qui le varie discussioni che sto aprendo.
Chiedo ai moderavacche/amministratrote se sia il caso di riunificare tutto il popò in un'unica discussione, faccino loro.

Ho tanti dischi, tante partizioni ed il loro numero è variabile, quindi vorrei evitare di usare fstab per dare il mount in lettura/scrittura all'utente normale, vorrei una cosa una-tantum e dinamica/in tempo reale.

Qual è il metodo migliore?
Modificare sudoers in modo da permettere il mount agli utenti normali?
Modificare i permessi di mount?
Usare FUSE? (L'ho scoperto oggi per la prima volta e non è che ci abbia capito un granché: https://wiki.archlinux.org/index.php/File_systems#FUSE-based_file_systems)
Altro ancora?

[Darko]

udisks/udisks2/udiskie
Dovrebbero essere sufficienti a montare tutto.
Inoltre gvfs e i plugin di thunar

[Buntolo]

Ho provato con udevil, ho modificato /etc/udevil/udevil.conf così:

In sintesi ho cambiato

Codice Seleziona Espandi


log_keep_days = 0
allowed_groups = wheel

Codice Seleziona Espandi

##############################################################################
#
# udevil configuration file    /etc/udevil/udevil.conf
#
# This file controls what devices, networks, and files users may mount and
# unmount via udevil (set suid).
#
# IMPORTANT:  IT IS POSSIBLE TO CREATE SERIOUS SECURITY PROBLEMS IF THIS FILE
# IS MISCONFIGURED - EDIT WITH CARE
#
# Note:  For greater control for specific users, including root, copy this
# file to /etc/udevil/udevil-user-USERNAME.conf replacing USERNAME with the
# desired username (eg /etc/udevil/udevil-user-jim.conf).
#
# Format:
#   OPTION = VALUE[, VALUE, ...]
#
# DO NOT USE QUOTES except literally
# Lines beginning with # are ignored
#
##############################################################################


# To log all uses of udevil, set log_file to a file path:
# log_file = /var/log/udevil.log

# Approximate number of days to retain log entries (0=forever, max=60):
log_keep_days = 0


# allowed_types determines what fstypes can be passed by a user to the u/mount
# program, what device filesystems may be un/mounted implicitly, and what
# network filesystems may be un/mounted.
# It may also include the 'file' keyword, indicating that the user is allowed
# to mount files (eg an ISO file).  The $KNOWN_FILESYSTEMS variable may
# be included to include common local filesystems as well as those listed in
# /etc/filesystems and /proc/filesystems.
# allowed_types_USERNAME, if present, is used to override allowed_types for
# the specific user 'USERNAME'.  For example, to allow user 'jim' to mount
# only vfat filesystems, add:
# allowed_types_jim = vfat
# Setting allowed_types = * does NOT allow all types, as this is a security
# risk, but does allow all recognized types.
# allowed_types = $KNOWN_FILESYSTEMS, file, cifs, smbfs, nfs, curlftpfs, ftpfs, sshfs, davfs, tmpfs, ramfs
allowed_types = $KNOWN_FILESYSTEMS, file


# allowed_users is a list of users permitted to mount and unmount with udevil.
# Wildcards (* or ?) may be used in the usernames.  To allow all users,
# specify "allowed_users=*".  UIDs may be included using the form UID=1000.
# For example:  allowed_users = carl, UID=1000, pre*
# Also note that permission to execute udevil may be limited to users belonging
# to the group that owns /usr/bin/udevil, such as 'plugdev' or 'storage',
# depending on installation.
# allowed_users_FSTYPE, if present, is used to override allowed_users when
# mounting or unmounting a specific fstype (eg nfs, ext3, file).
# Note that when mounting a file, fstype will always be 'file' regardless of
# the internal fstype of the file.
# For example, to allow only user 'bob' to mount nfs shares, add:
# allowed_users_nfs = bob
# The root user is NOT automatically allowed to use udevil in some cases unless
# listed here (except for unmounting anything or mounting fstab devices).
allowed_users = *


# allowed_groups is a list of groups permitted to mount and unmount with
# udevil.  The user MUST belong to at least one of these groups.  Wildcards
# or GIDs may NOT be used in group names, but a single * may be used to allow
# all groups.
# Also note that permission to execute udevil may be limited to users belonging
# to the group that owns /usr/bin/udevil, such as 'plugdev' or 'storage',
# depending on installation.
# allowed_groups_FSTYPE, if present, is used to override allowed_groups when
# mounting or unmounting a specific fstype (eg nfs, ext3, file).  For example,
# to allow only members of the 'network' group to mount smb and nfs shares,
# use both of these lines:
# allowed_groups_smbfs = network
# allowed_groups_nfs = network
# The root user is NOT automatically allowed to use udevil in some cases unless
# listed here (except for unmounting anything or mounting fstab devices).
allowed_groups = wheel


# allowed_media_dirs specifies the media directories in which user mount points
# may be located.  The first directory which exists and does not contain a
# wildcard will be used as the default media directory (normally /media or
# /media/$USER).
# The $USER variable, if included, will be replaced with the username of the
# user running udevil.  Wildcards may also be used in any directory EXCEPT the
# default.  Wildcards will not match a /, except a /** suffix for recursion.
# allowed_media_dirs_FSTYPE, if present, is used to override allowed_media_dirs
# when mounting or unmounting a specific fstype (eg ext2, nfs).  For example,
# to cause /media/network to be used as the default media directory for
# nfs and ftpfs mounts, use these two lines:
# allowed_media_dirs_nfs   = /media/network, /media, /media/$USER
# allowed_media_dirs_ftpfs = /media/network, /media, /media/$USER
# NOTE: If you want only the user who mounted a device to have access to it
# and be allowed to unmount it, specify /media/$USER as the first
# allowed media directory (only /media/$USER is created on demand).
# IMPORTANT:  If an allowed file is mounted to a media directory, the user may
# be permitted to unmount its associated loop device even though internal.
# INCLUDING /MNT HERE IS NOT RECOMMENDED.  ALL ALLOWED MEDIA DIRECTORIES
# SHOULD BE OWNED AND WRITABLE ONLY BY ROOT.
allowed_media_dirs = /media, /media/$USER, /run/media/$USER


# allowed_devices is the first criteria for what block devices users may mount
# or unmount.  If a device is not listed in allowed_devices, it cannot be
# un/mounted (unless in fstab).  However, even if a device is listed, other
# factors may prevent its use.  For example, access to system internal devices
# will be denied to normal users even if they are included in allowed_devices. 
# allowed_devices_FSTYPE, if present, is used to override allowed_devices when
# mounting or unmounting a specific fstype (eg ext3, ntfs).  For example, to
# prevent all block devices containing an ext4 filesystem from being
# un/mounted use:
# allowed_devices_ext4 =
# Note: Wildcards may be used, but a wildcard will never match a /, except
# for "allowed_devices=*" which allows any device.  The recommended setting is
# allowed_devices = /dev/*
# WARNING:  ALLOWING USERS TO MOUNT DEVICES OUTSIDE OF /dev CAN CAUSE SERIOUS
# SECURITY PROBLEMS.  DO NOT ALLOW DEVICES IN /dev/shm
allowed_devices = /dev/*


# allowed_internal_devices causes udevil to treat any listed block devices as
# removable, thus allowing normal users to un/mount them (providing they are
# also listed in allowed_devices).
# allowed_internal_devices_FSTYPE, if present, is used to override
# allowed_internal_devices when mounting or unmounting a specific fstype
# (eg ext3, ntfs).  For example, to allow block devices containing a vfat
# filesystem to be un/mounted even if they are system internal devices, use:
# allowed_internal_devices_vfat = /dev/sdb*
# Some removable esata drives look like internal drives to udevil.  To avoid
# this problem, they can be treated as removable with this setting.
# WARNING:  SETTING A SYSTEM DEVICE HERE CAN CAUSE SERIOUS SECURITY PROBLEMS.
# allowed_internal_devices =


# allowed_internal_uuids and allowed_internal_uuids_FSTYPE work similarly to
# allowed_internal_devices, except that UUIDs are specified instead of devices.
# For example, to allow un/mounting of an internal filesystem based on UUID:
# allowed_internal_uuids = cc0c4489-8def-1e5b-a304-ab87c3cb626c0
# WARNING:  SETTING A SYSTEM DEVICE HERE CAN CAUSE SERIOUS SECURITY PROBLEMS.
# allowed_internal_uuids =


# forbidden_devices is used to prevent block devices from being un/mounted
# even if other settings would allow them (except devices in fstab).
# forbidden_devices_FSTYPE, if present, is used to override
# forbidden_devices when mounting or unmounting a specific fstype
# (eg ext3, ntfs).  For example, to prevent device /dev/sdd1 from being
# mounted when it contains an ntfs filesystem, use:
# forbidden_devices_ntfs = /dev/sdd1
# NOTE: device node paths are canonicalized before being tested, so forbidding
# a link to a device will have no effect.
forbidden_devices =


# allowed_networks determines what hosts may be un/mounted by udevil users when
# using nfs, cifs, smbfs, curlftpfs, ftpfs, or sshfs.  Hosts may be specified
# using a hostname (eg myserver.com) or IP address (192.168.1.100).
# Wildcards may be used in hostnames and IP addresses, but CIDR notation
# (192.168.1.0/16) is NOT supported.  IP v6 is supported.  For example:
# allowed_networks = 127.0.0.1, 192.168.1.*, 10.0.0.*, localmachine, *.okay.com
# Or, to prevent un/mounting of any network shares, set:
# allowed_networks =
# allowed_networks_FSTYPE, if present, is used to override allowed_networks
# when mounting or unmounting a specific network fstype (eg nfs, cifs, sshfs,
# curlftpfs).  For example, to limit nfs and samba shares to only local
# networks, use these two lines:
# allowed_networks_nfs = 192.168.1.*, 10.0.0.*
# allowed_networks_cifs = 192.168.1.*, 10.0.0.*
allowed_networks = *


# forbidden_networks and forbidden_networks_FSTYPE are used to specify networks
# that are never allowed, even if other settings allow them (except fstab).
# NO REVERSE LOOKUP IS PERFORMED, so including bad.com will only have an effect
# if the user uses that hostname.  IP lookup is always performed, so forbidding
# an IP address will also forbid all corresponding hostnames.
forbidden_networks =


# allowed_files is used to determine what files in what directories may be
# un/mounted.  A user must also have read permission on a file to mount it.
# Note: Wildcards may be used, but a wildcard will never match a /, except
# for "allowed_files=*" which allows any file, and a /** suffix, which matches
# all files recursively.
# For example, to allow only files in the /share directory to be mounted, use:
# allowed_files = /share/*
# To allow all files in the /share directory AND all subdirectories use:
# allowed_files = /share/**
# NOTE:  Specifying allowed_files_FSTYPE will NOT work because the fstype of
# files is always 'file'.
allowed_files = *


# forbidden_files is used to specify files that are never allowed, even if
# other settings allow them (except fstab).  Specify a full path.
# Note: Wildcards may be used, but a wildcard will never match a /, except
# for "forbidden_files = *", or a /** suffix, which matches all recursively.
# NOTE: file paths are canonicalized before being tested, so forbidding
# a link to a file will have no effect.
forbidden_files =


# default_options specifies what options are always included when performing
# a mount, in addition to any options the user may specify.
# Note:  When a device is present in /etc/fstab, and the user does not specify
# a mount point, the device is mounted with normal user permissions using
# the fstab entry, without these options.
# default_options_FSTYPE, if present, is used to override default_options
# when mounting a specific fstype (eg ext2, nfs).
# The variables $USER, $UID, and $GID are changed to the user's username, UID,
# and GID.
# FOR GOOD SECURITY, default_options SHOULD ALWAYS INCLUDE: nosuid,noexec,nodev
# WARNING:  OPTIONS PRESENT OR MISSING CAN CAUSE SERIOUS SECURITY PROBLEMS.
default_options           = nosuid, noexec, nodev, noatime
default_options_file      = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID, ro
# mount iso9660 with 'ro' to prevent mount read-only warning
default_options_iso9660   = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID, ro, utf8
default_options_udf       = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID
default_options_vfat      = nosuid, noexec, nodev, noatime, fmask=0133, dmask=0022, uid=$UID, gid=$GID, utf8
default_options_exfat     = nosuid, noexec, nodev, noatime, umask=0077, uid=$UID, gid=$GID, iocharset=utf8, namecase=0, nonempty
default_options_msdos     = nosuid, noexec, nodev, noatime, fmask=0133, dmask=0022, uid=$UID, gid=$GID
default_options_umsdos    = nosuid, noexec, nodev, noatime, fmask=0133, dmask=0022, uid=$UID, gid=$GID
default_options_ntfs      = nosuid, noexec, nodev, noatime, fmask=0133, uid=$UID, gid=$GID, utf8
default_options_cifs      = nosuid, noexec, nodev, uid=$UID, gid=$GID
default_options_smbfs     = nosuid, noexec, nodev, uid=$UID, gid=$GID
default_options_sshfs     = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID, nonempty, allow_other
default_options_curlftpfs = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID, nonempty, allow_other
default_options_ftpfs     = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID
default_options_davfs     = nosuid, noexec, nodev, uid=$UID, gid=$GID
default_options_tmpfs     = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID
default_options_ramfs     = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID


# allowed_options determines all options that a user may specify when mounting.
# All the options used in default_options above must be included here too, or
# they will be rejected.  If the user attempts to use an option not included
# here, an error will result.  Wildcards may be used.
# allowed_options_FSTYPE, if present, is used to override allowed_options
# when mounting a specific fstype (eg ext2, nfs).
# The variables $USER, $UID, and $GID are changed to the user's username, UID,
# and GID.
# If you want to forbid remounts, remove 'remount' from here.
# WARNING:  OPTIONS HERE CAN CAUSE SERIOUS SECURITY PROBLEMS - CHOOSE CAREFULLY
allowed_options           = nosuid, noexec, nodev, noatime, fmask=0133, dmask=0022, uid=$UID, gid=$GID, ro, rw, sync, flush, iocharset=*, utf8, remount
allowed_options_nfs       = nosuid, noexec, nodev, noatime, ro, rw, sync, remount, port=*, rsize=*, wsize=*, hard, proto=*, timeo=*, retrans=*
allowed_options_cifs      = nosuid, noexec, nodev, ro, rw, remount, port=*, user=*, username=*, pass=*, password=*, guest, domain=*, uid=$UID, gid=$GID, credentials=*
allowed_options_smbfs     = nosuid, noexec, nodev, ro, rw, remount, port=*, user=*, username=*, pass=*, password=*, guest, domain=*, uid=$UID, gid=$GID, credentials=*
allowed_options_sshfs     = nosuid, noexec, nodev, noatime, ro, rw, uid=$UID, gid=$GID, nonempty, allow_other, idmap=user, BatchMode=yes, port=*
allowed_options_curlftpfs = nosuid, noexec, nodev, noatime, ro, rw, uid=$UID, gid=$GID, nonempty, allow_other, user=*
allowed_options_ftpfs     = nosuid, noexec, nodev, noatime, ro, rw, port=*, user=*, pass=*, root=*, uid=$UID, gid=$GID
allowed_options_exfat     = nosuid, noexec, nodev, noatime, fmask=0133, dmask=0022, uid=$UID, gid=$GID, umask=0077, namecase=*, ro, rw, sync, flush, iocharset=*, remount, nonempty


# mount_point_mode, if present and set to a non-empty value, will cause udevil
# to set the mode (permissions) on the moint point after mounting  If not
# specified or if left empty, the mode is not changed.  Mode must be octal
# starting with a zero (0755).
# mount_point_mode_FSTYPE, if present, is used to override mount_point_mode
# when mounting a specific fstype (eg ext2, nfs).
# NOT SETTING A MODE CAN HAVE SECURITY IMPLICATIONS FOR SOME FSTYPES
mount_point_mode = 0755
# don't set a mode for some types:
mount_point_mode_sshfs =
mount_point_mode_curlftpfs =
mount_point_mode_ftpfs =


# Use the settings below to change the default locations of programs used by
# udevil, or (advanced topic) to redirect commands to your scripts.
# When substituting scripts, make sure they are root-owned and accept the
# options used by udevil (for example, the mount_program must accept --fake,
# -o, -v, and other options valid to mount.)
# Be sure to specify the full path and include NO OPTIONS or other arguments.
# These programs may also be specified as configure options when building
# udevil.
# THESE PROGRAMS ARE RUN AS ROOT
# mount_program   = /bin/mount
# umount_program  = /bin/umount
# losetup_program = /sbin/losetup
# setfacl_program = /usr/bin/setfacl


# validate_exec specifies a program or script which provides additional
# validation of a mount or unmount command, beyond the checks performed by
# udevil.  The program is run as a normal user (if root runs udevil,
# validate_exec will NOT be run).  The program is NOT run if the user is
# mounting a device without root priviledges (a device in fstab).
# The program is passed the username, a printable description of what is
# happening, and the entire udevil command line as the first three arguments.
# The program must return an exit status of 0 to allow the mount or unmount
# to proceed.  If it returns non-zero, the user will be denied permission.
# For example, validate_exec might specify a script which notifies you
# of the command being run, or performs additional steps to authenticate the
# user.
# Specify a full path to the program, with NO options or arguments.
# validate_exec =


# validate_rootexec works similarly to validate_exec, except that the program
# is run as root.  validate_rootexec will also be run if the root user runs
# udevil.  If both validate_exec and validate_rootexec are specified,
# validate_rootexec will run first, followed by validate_exec.
# The program must return an exit status of 0 to allow the mount or unmount
# to proceed.  If it returns non-zero, the user will be denied permission.
# Unless you are familiar with writing root scripts, it is recommended that
# rootexec settings NOT be used, as it is easy to inadvertently open exploits.
# THIS PROGRAM IS ALWAYS RUN AS ROOT, even if the user running udevil is not.
# validate_rootexec =


# success_exec is run after a successful mount, remount, or unmount.  The
# program is run as a normal user (if root runs udevil, success_exec
# will NOT be run).
# The program is passed the username, a printable description of what action
# was taken, and the entire udevil command line as the first three arguments.
# The program's exit status is ignored.
# For example, success_exec might run a script which informs you of what action
# was taken, and might perform further actions.
# Specify a full path to the program, with NO options or arguments.
# success_exec =


# success_rootexec works similarly to success_exec, except that the program is
# run as root.  success_rootexec will also be run if the root user runs udevil.
# If both success_exec and success_rootexec are specified,  success_rootexec
# will run first, followed by success_exec.
# Unless you are familiar with writing root scripts, it is recommended that
# rootexec settings NOT be used, as it is easy to inadvertently open exploits.
# THIS PROGRAM IS ALWAYS RUN AS ROOT, even if the user running udevil is not.
# success_rootexec =





Ma continua a chiedermi la password e non ho permessi di scrittura.
Inoltre sono sempre più confuso, qui mi si consiglia udevil: https://wiki.archlinux.org/index.php/Udisks#Devmon
qua mi si consiglia udiskie perché usa udisks2 (ma anche udevil lo fa a quanto pare): https://wiki.archlinux.org/index.php/Thunar#Automounting_of_large_external_drives

[madnessmike]

@Buntolo non mettere i tag code sotto spoiler, sennò diventano illeggibili

[Darko]

udevil non mi ha mai funzionato correttamente.
In ogni caso controlla gvfs se è installato. Alla fin fine è la soluzione migliore e funziona senza magheggi

[Buntolo]

udevil non mi ha mai funzionato correttamente.
In ogni caso controlla gvfs se è installato. Alla fin fine è la soluzione migliore e funziona senza magheggi

L'ho installato, ma mica ho capito come usarlo. Non riesco ad abilitare gvfsd.

Inoltre cosa sarebbe l'automount? Monta in automatico ogni dispositivo che trova o semplicemente quando io lo monto lui lo fa senza chiedere permessi di root?
Perché non voglio che ad ogni avvio/accesso mi monti 10-20 partizioni.

[Darko]

Automount significa che monta tutto quello che trova senza chiedere nulla.

Per gvfs non c'è nulla da fare. Apri thunar e vedi nelle preferenze se hai la spunta ad "abilita gestione dei volumi"

[Buntolo]

Automount significa che monta tutto quello che trova senza chiedere nulla.

Per gvfs non c'è nulla da fare. Apri thunar e vedi nelle preferenze se hai la spunta ad "abilita gestione dei volumi"

La gestione dei volumi è abilitata, non ho abilitato "monta i dispositivi rimovibili collegati" e "monta i dischi rimovibili collegati" per via che non voglio montare il mondo OGNI volta.

Comunque ho notato una cosa: posso montare TUTTO senza richiesta di password, posso scrivere su NTFS, NON posso scrivere su ext4. L'unica cosa che mi viene in mente è che NTFS non supporta i permessi Linux, ma non so dove andare a parare per risolvere la questione.

[Darko]

Per ntfs installa ntfs-3g
Per ext4 sarà solo un problema di permessi

[TonyWhite]

In questi giorni sto configurando la nuova installazione di arch sul "nuovo" fisso, da qui le varie discussioni che sto aprendo.
Chiedo ai moderavacche/amministratrote se sia il caso di riunificare tutto il popò in un'unica discussione, faccino loro.

Ho tanti dischi, tante partizioni ed il loro numero è variabile, quindi vorrei evitare di usare fstab per dare il mount in lettura/scrittura all'utente normale, vorrei una cosa una-tantum e dinamica/in tempo reale.

Qual è il metodo migliore?
Modificare sudoers in modo da permettere il mount agli utenti normali?
Modificare i permessi di mount?
Usare FUSE? (L'ho scoperto oggi per la prima volta e non è che ci abbia capito un granché: https://wiki.archlinux.org/index.php/File_systems#FUSE-based_file_systems)
Altro ancora?

Me la dai?

Ora metti risolto nel titolo del thread.

[Buntolo]

Per ntfs installa ntfs-3g
Per ext4 sarà solo un problema di permessi

Sicuramente, solo non so come muovermi adesso.
Potrei cambiare i permessi di /run/media/$utente ma non so quanto sia raccomandabile: che succede se monto una partizione con un sistema operativo dentro? Sputtana tutti i permessi?

Me la dai?

Ora metti risolto nel titolo del thread.

La tua capa ha detto che se ne vuole occupare lei. 

[Darko]

Prova a riavviare la sessione e a rimontare, magari è qualcosa deve settarsi per bene.

Meglio se riavvi proprio

[TonyWhite]

Non sputtana tutti i permessi.

Dato che ci sei, fai le veci di Vlad III.

[Cire]

Prova a riavviare la sessione e a rimontare, magari è qualcosa deve settarsi per bene.

Meglio se riavvi proprio

O controlla a che gruppi appartiene il tuo utente.

[Buntolo]

Prova a riavviare la sessione e a rimontare, magari è qualcosa deve settarsi per bene.

Meglio se riavvi proprio

Già lo feci; ora sto chiedendo sul foro di arch ma mi hanno già consigliato fstab nonostante abbia scritto che vorrei evitarlo 

Prova a riavviare la sessione e a rimontare, magari è qualcosa deve settarsi per bene.

Meglio se riavvi proprio

O controlla a che gruppi appartiene il tuo utente.

Sono in wheel (che su arch è il gruppo "amministratrote") e nell'utente stesso (perché arch crea anche un gruppo col solito nome dell'utente per ogni utente).
Ho configurato udisks con una regola in polkit perché dia il dioporco del mount al gruppo wheel.