# security policy prevents usb automounting

## chanakam2000

Hi all,

 Sorry for long post. I want you to know it clearly

       We are using gentoo & xfce4 X windows system.

our globak use flgs are as follow.

```
USE="jpeg png truetypes -gnome -kde -qt3 -qt4 X dbus hal startup-notification -ipv6 xcomposite"
```

& /etc/portage/package.use here

```
xfce-base/xfce4 minimal
```

 We have installed 

 *Quote:*   

> 
> 
> xfce-extra/thunar-volman
> 
>       Latest version available: 0.2.0
> ...

 

result for rc-update show here

```

l29 ~ # rc-update show

            bootmisc | boot

             checkfs | boot

           checkroot | boot

               clock | boot

         consolefont | boot

                hald |      default

            hostname | boot

             keymaps | boot

               local |      default nonetwork

          localmount | boot

             modules | boot

            net.eth0 |      default

              net.lo | boot

            netmount |      default

             portmap |      default

           rmnologin | boot

                sshd |      default

           syslog-ng |      default

             urandom | boot

          vixie-cron |      default
```

when I log in as root & plug a usb drive it mounting automatically & displaying an icon at desktop.

So USB device easily accessible It is fine.

So i want similar behaviour to normal users (who are not root)

I went through some forum posts and found editting /etc/group & adding normal users to certain groups will help in this issue.

so now my /etc/group is here

```
root::0:root

bin::1:root,bin,daemon

daemon::2:root,bin,daemon

sys::3:root,bin,adm

adm::4:root,adm,daemon

tty::5:

disk::6:root,adm,haldaemon

lp::7:lp

mem::8:

kmem::9:

wheel::10:root

floppy::11:root,haldaemon

mail::12:mail

news::13:news

uucp::14:uucp

man::15:man

console::17:

audio::18:

cdrom:!:19:haldaemon,]chanaka

dialout::20:root

tape::26:root

video::27:root

cdrw:!:80:haldaemon,chanaka

usb:!:85:haldaemon,chanaka

users::100:games

nofiles:x:200:

smmsp:x:209:smmsp

portage::250:portage

utmp:x:406:

nogroup::65533:

nobody::65534:

ldap:x:439:

sshd:x:22:

cron:x:16:

crontab:x:440:

messagebus:x:441:

lpadmin:x:106:

haldaemon:x:442:haldaemon

plugdev:!:443:haldaemon,chanaka

rpc:x:111:
```

Now appart from root the user named chanaka  can use USB drives (automount when plug & icon @ desktop)

But other users cant.

But here my problem is we want this setup in a general  LAB .There are  about 300 users. and 50 machines

and no of users & there user names are changing time to time.

So is there any easy way overcome this. (Rather tahn adding each individual user to certain groups)

And another thing is all 300 users are LDAP users & they are in few groups named teachers, first_year_students etc.

Can you please give me some fancy ideas to solve this problem.

Thank you.

Sorry for long postLast edited by chanakam2000 on Tue Dec 11, 2007 1:42 pm; edited 1 time in total

----------

## JeliJami

 *chanakam2000 wrote:*   

> 
> 
> But here my problem is we want this setup in a general  LAB .There are  about 300 users. and 50 machines
> 
> and no of users & there user names are changing time to time.
> ...

 

Use pam authentication with ldap?

----------

## chanakam2000

 *davjel wrote:*   

>  *chanakam2000 wrote:*   
> 
> But here my problem is we want this setup in a general  LAB .There are  about 300 users. and 50 machines
> 
> and no of users & there user names are changing time to time.
> ...

 

Yes We are using pam authentication with LDAP.

Thank

----------

## chanakam2000

I missed one thing,

            when a non root user looged on the usb device icon is displaying on desktop

But when try to access it it give following error message.

```
Failed to mount "KINGSTON" 

A security policy in place prevents this sender from sending this message to this

recipient. see message bus configuration file. (rejected message had interface 

"org.freedesktop.Hal.Device.Volume" member "Mount" error name "(unset)" destination

"org.freedesktop.Hal")

```

Sorry I cant understand this message. what is bus configuration file.

How to correct it ?

----------

## JeliJami

 *chanakam2000 wrote:*   

> I missed one thing,
> 
>             when a non root user looged on the usb device icon is displaying on desktop
> 
> But when try to access it it give following error message.
> ...

 

Sorry I can't help you any further.

Maybe it's time to change the topic title from USB drive mount problem to something like security policy prevents usb automounting. That may attract people that know about this.

Good luck!

----------

## skyPhyr

Hi chanakam,

I hit the same issue here, and found your post. Good news is

it got me thinking and it relates to an issue I've hit before. I

have a similar setup to you, but with kerberos authentication

with ldap, rather than ldap authentication.

Pam authentication stops at the local version of a group if it 

exists (so I had to remove wheel from /etc/group in order to

have the wheel on my ldap server checked). So I thought it

may be hitting a similar issue with the plugdev group.

It seems removing plugdev from /etc/group got me sorted,

but then I had a tonne of ldap not found messages when

udev started. So I had to remove rules (in my case all the

libgphoto rules) to get rid of these messages on boot.

Perhaps you know of another way to get udev to ignore 

groups which are missing on boot, but anyway hopefully this

will resolve your issue too.

Cheers,

Alan.

----------

