autorun.sh is not executed

> Any opposition to that?

maybe. how do we protect users from malicious autoruns on unfamiliar media?
(get a CD from an unknown source, maybe it installs a worm when you insert it?)

That's easy to prevent; we just need to present a confirmation dialog before
executing anything

Hmm, confirmation dialogs tend to get ignored after you saw them the third time,
so I'm not sure whether this was the best thing. But since the concrete
implementation is a Hoary thing anyway, we can defer the discussion until after
the Warty release.

A temporary "fix" for warty would be to remove the documentation item in g-v-m's
README.Debian and to remove the "automatically run programs on new drives and
media" (translated from German) option from the removable device settings dialog.

But the problem that users cannot execute stuff on removable devices remains;
the fix in pmount is trivial (change 'noexec' to 'exec') and could be done for
Warty. However, this is a design decision. It's not a real blocker, people can
alway copy files to their home and execute it from there, so IMHO we could leave
things as they are for Warty.

I think it would be nice to support autorun with confirmation for Hoary. This
would be useful for implementing CD-based upgrades

Agree. If there's consensus, we need to enable g-v-m's autorun setting by
default, and ensure that it does confirmation.

(In reply to comment #4)
> I think it would be nice to support autorun with confirmation for Hoary. This
> would be useful for implementing CD-based upgrades

I think this issue should now be discussed again. CD based upgrades work fine
without autorun (this is done with a hal script), so this alone is no argument
any more.

The question is what we do want to do with autorun. I see the following options:

1. completely disable: pmount with noexec (as now), remove configuration option
from gvm
2. enable: pmount with exec (should work automatically then)
3. enable with confirmation dialog: pmount with exec, change g-v-m to confirm
execution

I don't really like 3 because confirmation dialogs tend to get ignored and they
do not tell you what will be performed anyway. I doubt that many users would
want to actually read the shell code (let alone analyze a binary) before
executing it.

My personal preference is option 1.

Any opinions?

If there is no valid use case for autorun functionality, then it should be
removed upstream, and this would become a non-issue. If there are valid use
cases, we should try to support them in some reasonable way.

This should be discussed on ubuntu-devel, rather than in this bug report, so
I'll close it for now. Martin, please start a thread about this on the list.

(In reply to comment #7)>
> This should be discussed on ubuntu-devel, rather than in this bug report, so
> I'll close it for now. Martin, please start a thread about this on the list.

This has been discussed for a while, and it seems that there are users who want
this feature. gnome-volume-manager already displays a confirmation dialog before
actually executing anything, so the only missing thing is to mount with 'exec'.

pmount 0.7 now supports exec-mounting with the -e/--exec switch, so this flag
can be used by a future gnome-volume-manager if autorun is enabled.

 gnome-volume-manager (1.1.2-5ubuntu1) hoary; urgency=low
 .
   * Mount devices with the 'exec' mount option (using pmount's new --exec
       switch) now. This also closes Ubuntu #1956.
   * Bumped pmount dependency to >= 0.7 since previous versions did not support
     the --exec option.

This does not appear to be working in Breezy. USB media are always mounted with
"noexec".

(In reply to comment #10)
> This does not appear to be working in Breezy. USB media are always mounted with
> "noexec".

Whoops, thank you for spotting this.

 gnome-volume-manager (1.5.7-0ubuntu1) dapper; urgency=low
 .
   * New upstream version.
   * debian/patches/03_fix_policy_execution.patch: Dropped, adopted upstream.
   * Adopted patches for new version:
     - 01_set_defaults.patch
     - 02_pmount_crypt.patch
     - 91_ubuntu-remove_default_audio_dev.patch
     - 99_autotools.patch
   * Add debian/patches/03_no_hal_mount.patch: Directly call pmount-hal,
     pumount, and eject instead of invoking Hal functions. These are utter
     crack, and do not even exist yet. This also finally makes the CD drive's
     eject button work with mounted CDs.
   * debian/patches/92_ubuntu-new_audio_notification.patch:
     - Re-add bits that were dropped in last version to make audio device
       notification work again.
     - Fix timeout and icon type for new libnotify.
   * debian/rules: Drop now obsolete DEB_CONFIGURE_EXTRA_FLAGS.
   * debian/patches/03_no_hal_mount.patch: Mount devices with --exec again,
     this got dropped at some point in Breezy. (Ubuntu #1956)
   * debian/patches/02_pmount_crypt.patch: Display the device name in the
     passphrase dialog to be able to tell apart dialogs for multiple encrypted
     devices. (Ubuntu #19825)

How about executing the autorun script, but only if a suitable trusted pgp signature is associated with it?

The most recent versions of seahorse even include a nautilus extension that adds right click signing and encrypting.

That way I could make autorun scripts for my own media and choose some other folks to trust in such a fashion, but not worry about random autorun scripts hijacking my session.