Guest account can read/write in /media/

Hi Fred - Thanks for taking the time to file this bug report.

If your concern is only about the /media directory, the guest user should be able to read and search that directory. The guest account should not be able to write to that directory. I've verified that to be the case on several freshly installed Oneiric systems.

However, I suspect your concern is about the guest account being able to read and write to USB storage devices that are mounted inside the /media directory (/media/2DC0-D277/, for example). Is this correct?

No, if the guest plugs in his or her own USB flash memory then it should be readable and writeable by the guest.

The problem is that the guest can read, write and erase the data on the system if the disk partitions are mounted.
Disk partitions gets mounted in subdirectories of /media, and they're both readable and writeable by the guest.

Exempt from /etc/fstab
/dev/sdb1 /media/Windows ntfs-3g quiet,defaults,locale=en_US.utf8,umask=0 0 0
/dev/sdb5 /media/Music ntfs-3g quiet,defaults,locale=en_US.utf8,umask=0 0 0
/dev/sdb6 /media/Movies ntfs-3g quiet,defaults,locale=en_US.utf8,umask=0 0 0

Hey Martin, do you have an opinion on whether that should be blocked or not?

Originally we deliberately allowed that so that guest users can use an USB stick to do things like like editing documents there or keeping their firefox config. See the profile:

  /media/** rmwlixk, # we want access to USB sticks and the like

However, this should certainly be limited to the guest user's own devices. We already shield users from each other by mounting VFAT devices with dmask=0077, and ext4 devices have their own ACLs anyway.

That of course breaks down if you have custom /etc/fstab rules which allow anyone to write there. I think we can tighten this up with

  owner /media/** rmwlixk,

This would break desired access to e. g. ext4 external hard disks, but that might be a smaller use case.

Fixed in trunk r1295.

Martin,
What do you mean with "This would break desired access..." ?

The fix committed, is it a proper solution to the problem, or is it just a dirty quick fix?

Shouldn't USB sticks be mounted in /mnt/ as they're probably just temporarily mounted?

http://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard
/media/ Mount points for removable media such as CD-ROMs (appeared in FHS-2.3).
/mnt/ Temporarily mounted filesystems.

Fred [2011-11-02 20:23 -0000]:
> Martin,
> What do you mean with "This would break desired access..." ?

There might be scenarios where the current behaviour is expected, but
as I said this sounds like a corner case.

> The fix committed, is it a proper solution to the problem, or is it just
> a dirty quick fix?

It's a proper solution, from my POV.

> Shouldn't USB sticks be mounted in /mnt/ as they're probably just
> temporarily mounted?

No, /media/ is meant for this kind of devices. /mnt is meant for
administrators and manual mounting.
>
> http://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard
> /media/ Mount points for removable media such as CD-ROMs (appeared in FHS-2.3).
> /mnt/ Temporarily mounted filesystems.

That's right, but as you have your drives in /etc/fstab, Ubuntu
obviously should respect that. Manual entries in fstab trump all
default policies :)

Martin
> There might be scenarios where the current behaviour is expected, but
> as I said this sounds like a corner case.
Yes, there are cases where this behavior is semi-desired.

Example, I have a party at my house, and I want my guests to be able to change music and do stuff like check their Facebook.
So I login with the guest account, since I don't want my guests to use my account.
But in this scenario, I would like the guest account to have read-only access to /media/Music/ so that music can be played from the guest account.

precise got a new version now, should be fixed there:

lightdm (1.1.1-0ubuntu1) precise; urgency=low

  * New upstream release:
    * Support PAM requesting a change of password (lp: #911597)
    * Support for reading users' backgrounds from Accounts Service
      (lp: #844081)
    * Switching to a user without a password bypasses the greeter
      (lp: #861177)
    * Move the GTK+ and Qt greeters into their own projects
  * Drop the gtk and qt greeters packaging files from this source
  * debian/liblightdm-gobject-1-0.symbols:
    - list new lightdm_user_get_background symbol
  * debian/patches/04_CVE-2011-4105.patch,
    debian/patches/05_CVE-2011-3153.patch,
    debian/patches/09_show_lang_chooser_option.patch,
    debian/patches/10_available_languages.patch,
    debian/patches/11_set_language_in_accountsservice.patch:
    - dropped, those issues are fixed in the new version or apply to the
      gtk greeter which is moved to its own source
  * debian/rules:
    - install lightdm-set-defaults back to its previous location