Debian Bug report logs - #377689
HAL policy breaks mounting for next KDE

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Christopher Martin <chrsmrtn@debian.org>

To: submit@bugs.debian.org

Subject: HAL policy breaks mounting for next KDE

Date: Mon, 10 Jul 2006 14:06:27 -0400

[Message part 1 (text/plain, inline)]

Package: hal
Version: 0.5.7-2
Severity: important

The next release of KDE, 3.5.4, brings changes to how removable devices 
are mounted (by changing how dbus/HAL/pmount is used), and this has 
uncovered a problem with Debian's HAL.

Prior to 3.5.4, users running KDE could mount or unmount volumes (data 
CDs, DVDs, etc.) as long as they were members of the plugdev group. No 
entry in /etc/fstab was required for a device to be mounted; KDE would 
use fstab if it existed, but if not it created its own directory 
under /media and mounted the device there. It used pmount to do this.

Now, however, an entry under /etc/fstab is required for users to be able 
to mount a volume, and it must have the "user" or "users" option there 
as well. Otherwise, users receive an error message:

"A security policy in place prevents this sender from sending this 
message to this recipient, see message bus configuration file (rejected 
message had interface "org.freedesktop.Hal.Device.Volume" 
member "Mount" error name "(unset)" destination "org.freedesktop.Hal")"

...when trying to mount a volume. I guess KDE doesn't use pmount 
anymore.

I filed a bug against KDE, but was told that it in fact this problem was 
due to Debian's default HAL configuration. Indeed, 
editing /etc/dbus-1/system.d/hal.conf to allow 
send_interface="org.freedesktop.Hal.Device.Volume" worked.

It's worth noting that any user currently in the plugdev group can use 
pmount to mount discs under /media. Perhaps hal should follow this 
policy, which seems quite sensible, and shouldn't weaken system 
security, since pmount+plugdev is already being used to mount volumes, 
etc. The end of hal.conf would then look something like this:

<!-- You can change this to a more suitable user, or make per-group -->
<policy group="powerdev">
  <allow 
send_interface="org.freedesktop.Hal.Device.SystemPowerManagement"/>
  <allow send_interface="org.freedesktop.Hal.Device.LaptopPanel"/>
</policy>

<!-- Allow plugdev members to mount volumes -->
<policy group="plugdev">
  <allow send_interface="org.freedesktop.Hal.Device.Volume"/>
  <allow send_interface="org.freedesktop.Hal.Device.Volume.Crypto"/>
</policy>

This way KDE 3.5.4 will continue to function as users expect, and they 
won't be forced them to write /etc/fstab entries for each optical or 
removable device - exactly the sort of thing that Project Utopia was 
designed to avoid.

Thanks,
Christopher Martin

[Message part 2 (application/pgp-signature, inline)]

Message #10 received at 377689@bugs.debian.org (full text, mbox, reply):

From: "Mario J. Barchein Molina" <mario@judas.2y.net>

To: Debian Bug Tracking System <377689@bugs.debian.org>

Subject: hal: HAL policy breaks device mounting for KDE 3.5.4

Date: Mon, 31 Jul 2006 14:55:49 +0200

Package: hal
Version: 0.5.7-2
Followup-For: Bug #377689



-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-4-mario-1
Locale: LANG=es_ES@euro, LC_CTYPE=es_ES@euro (charmap=ISO-8859-15)

Versions of packages hal depends on:
ii  adduser                       3.95       Add and remove users and groups
ii  dbus                          0.62-4     simple interprocess messaging syst
ii  libc6                         2.3.6-16   GNU C Library: Shared libraries
ii  libdbus-1-2                   0.62-4     simple interprocess messaging syst
ii  libdbus-glib-1-2              0.62-4     simple interprocess messaging syst
ii  libexpat1                     1.95.8-3.2 XML parsing C library - runtime li
ii  libglib2.0-0                  2.10.3-3   The GLib library of C routines
ii  libhal1                       0.5.7-2    Hardware Abstraction Layer - share
ii  libusb-0.1-4                  2:0.1.12-2 userspace USB programming library
ii  lsb-base                      3.1-10     Linux Standard Base 3.1 init scrip
ii  pciutils                      1:2.2.1-2  Linux PCI Utilities
ii  udev                          0.093-1    /dev/ and hotplug management daemo
ii  usbutils                      0.72-4     USB console utilities

hal recommends no packages.

-- no debconf information

I can confirm bug #377689 in my system. I have added the following lines to 
/etc/dbus-1/system.d/hal.conf:

<!-- Allow plugdev members to mount volumes -->
<policy group="plugdev">
  <allow send_interface="org.freedesktop.Hal.Device.Volume"/>
  <allow send_interface="org.freedesktop.Hal.Device.Volume.Crypto"/>
</policy>

This makes mounting work again, but I needed to remove the DVD and external USB
drive entries from /etc/fstab. With the entries active in /etc/fstab, when   
trying to mount some device through KDE I obtained the error "Permissions 
denied". 

I think this is related to conflicting mountpoints in /etc/fstab and what KDE 
wants (you can find mountpoints KDE wants in the properties dialog of each 
removable device). KDE forces mount point to be under /media/ subdirectory and
the ones I had in /etc/fstab where under /mnt/

Also, another bug is that when you have some file descriptor open on the device
(such as a console) and you try to umount or eject the device via the 
right-button menu, it just fails _silently_, with no error messages. The 
previous behaviour was to alert with an error. Reading the KDE changelog and 
the bugreports on kde.org related to the new HAL features, it seems KDE 3.5.4  
now should notice the user about open applications that block the device, but 
I am not really sure about this point. 

Please see http://bugs.kde.org/show_bug.cgi?id=50185.

Thanks in advance.

Message #15 received at 377689@bugs.debian.org (full text, mbox, reply):

From: Christopher Martin <chrsmrtn@gmail.com>

To: 377689@bugs.debian.org

Subject: Re: HAL policy breaks mounting for next KDE

Date: Mon, 31 Jul 2006 18:14:01 -0400

> Package: hal
> Version: 0.5.7-2
> Severity: important
>
> The next release of KDE, 3.5.4, brings changes to how removable
> devices are mounted (by changing how dbus/HAL/pmount is used), and
> this has uncovered a problem with Debian's HAL.

Now that KDE 3.5.4 is in the archive, we're getting reports of breakage. 
It would be nice, therefore, if this issue were resolved.

Do you plan to accept the included fix, reject it, have an ETA on the 
next upload, etc.?

Thanks,
Christopher Martin

Message #20 received at 377689@bugs.debian.org (full text, mbox, reply):

From: Raúl Sánchez Siles <rss@barracuda.es>

To: Debian Bug Tracking System <377689@bugs.debian.org>

Subject: hal: Possible temorary solution.

Date: Wed, 02 Aug 2006 10:18:29 +0200

[Message part 1 (text/plain, inline)]

Package: hal
Version: 0.5.7-2
Followup-For: Bug #377689

Hello. I suggest using a temporary solution which consist on modifying
the hal.conf file so that plugdev group users could mount the media.

I attach the patch. It works for me after restarting dbus and kde.

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (900, 'testing'), (100, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-ck1-p4s
Locale: LANG=es_ES@euro, LC_CTYPE=es_ES@euro (charmap=ISO-8859-15)

Versions of packages hal depends on:
ii  adduser                       3.95       Add and remove users and groups
ii  dbus                          0.62-4     simple interprocess messaging syst
ii  libc6                         2.3.6-15   GNU C Library: Shared libraries
ii  libdbus-1-2                   0.62-4     simple interprocess messaging syst
ii  libdbus-glib-1-2              0.62-4     simple interprocess messaging syst
ii  libexpat1                     1.95.8-3.2 XML parsing C library - runtime li
ii  libglib2.0-0                  2.10.3-3   The GLib library of C routines
ii  libhal1                       0.5.7-2    Hardware Abstraction Layer - share
ii  libusb-0.1-4                  2:0.1.12-2 userspace USB programming library
ii  lsb-base                      3.1-10     Linux Standard Base 3.1 init scrip
ii  pciutils                      1:2.2.1-2  Linux PCI Utilities
ii  udev                          0.093-1    /dev/ and hotplug management daemo
ii  usbutils                      0.72-4     USB console utilities

hal recommends no packages.

-- no debconf information

[hal.kde3.5.4.patch (text/plain, attachment)]

Message #25 received at 377689@bugs.debian.org (full text, mbox, reply):

From: Francesco Pedrini <francesco.pedrini@gmail.com>

To: 377689@bugs.debian.org, control@bugs.debian.org

Subject: The previous patch is wrong

Date: Wed, 2 Aug 2006 14:16:45 +0200

[Message part 1 (text/plain, inline)]

tags 377689 + patch
thanks

The previous patch is wrong, the right patch is attached



-- 
:wq

[hal-kde3.5.4.patch (text/x-diff, attachment)]

[Message part 3 (application/pgp-signature, inline)]

Message #32 received at 377689@bugs.debian.org (full text, mbox, reply):

From: sjoerd@spring.luon.net (Sjoerd Simons)

To: Christopher Martin <chrsmrtn@debian.org>, 377689@bugs.debian.org, pkg-kde-talk@lists.alioth.debian.org

Subject: Re: Bug#377689: HAL policy breaks mounting for next KDE

Date: Tue, 8 Aug 2006 22:01:06 +0200

[Message part 1 (text/plain, inline)]

On Mon, Jul 10, 2006 at 02:06:27PM -0400, Christopher Martin wrote:
> Package: hal
> Version: 0.5.7-2
> Severity: important
> 
> The next release of KDE, 3.5.4, brings changes to how removable devices 
> are mounted (by changing how dbus/HAL/pmount is used), and this has 
> uncovered a problem with Debian's HAL.
> 
> Prior to 3.5.4, users running KDE could mount or unmount volumes (data 
> CDs, DVDs, etc.) as long as they were members of the plugdev group. No 
> entry in /etc/fstab was required for a device to be mounted; KDE would 
> use fstab if it existed, but if not it created its own directory 
> under /media and mounted the device there. It used pmount to do this.
> 
> Now, however, an entry under /etc/fstab is required for users to be able 
> to mount a volume, and it must have the "user" or "users" option there 
> as well. Otherwise, users receive an error message:
> 
> "A security policy in place prevents this sender from sending this 
> message to this recipient, see message bus configuration file (rejected 
> message had interface "org.freedesktop.Hal.Device.Volume" 
> member "Mount" error name "(unset)" destination "org.freedesktop.Hal")"
> 
> ...when trying to mount a volume. I guess KDE doesn't use pmount 
> anymore.

At least for gnome we have patched various part to use pmount instead of the
hal callout to do the mounting. The KDE packagers probably did the same for the
current version of KDE  and i would expect them to do the same for the next
version. I've CC'd the kde maintainers so they can give their opinion :)

Btw for etch we will probably keep using the pmount method unless somebody
comes with very good reasons to switch to hal callouts for mounting.

  Sjoerd
-- 
A method of solution is perfect if we can forsee from the start,
and even prove, that following that method we shall attain our aim.
		-- Leibnitz

[signature.asc (application/pgp-signature, inline)]

Message #37 received at 377689@bugs.debian.org (full text, mbox, reply):

From: sjoerd@spring.luon.net (Sjoerd Simons)

To: Christopher Martin <chrsmrtn@debian.org>, 377689@bugs.debian.org

Subject: Re: Bug#377689: HAL policy breaks mounting for next KDE

Date: Tue, 8 Aug 2006 22:23:04 +0200

On Mon, Jul 31, 2006 at 06:14:01PM -0400, Christopher Martin wrote:
> > Package: hal
> > Version: 0.5.7-2
> > Severity: important
> >
> > The next release of KDE, 3.5.4, brings changes to how removable
> > devices are mounted (by changing how dbus/HAL/pmount is used), and
> > this has uncovered a problem with Debian's HAL.
> 
> Now that KDE 3.5.4 is in the archive, we're getting reports of breakage. 
> It would be nice, therefore, if this issue were resolved.
> 
> Do you plan to accept the included fix, reject it, have an ETA on the 
> next upload, etc.?

Sorry, just replied to an older part of this bug-report (Just catching up with
bugs and stuff).

The problem with the fix is that some parts of debian will use pmount and other
part hal callouts, while i would prefer that all desktops use the same way of
mounting removable media. What was the reason for KDE to drop pmount and switch
to hal callouts ?

  Sjoerd
-- 
Ya'll hear about the geometer who went to the beach to catch some
rays and became a tangent ?

Message #42 received at 377689@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>

To: Sjoerd Simons <sjoerd@spring.luon.net>, 377689@bugs.debian.org

Cc: Christopher Martin <chrsmrtn@debian.org>

Subject: Re: Bug#377689: HAL policy breaks mounting for next KDE

Date: Wed, 9 Aug 2006 00:09:42 +0200

[Message part 1 (text/plain, inline)]

Hi,

Sjoerd Simons [2006-08-08 22:23 +0200]:
> The problem with the fix is that some parts of debian will use pmount and other
> part hal callouts, while i would prefer that all desktops use the same way of
> mounting removable media. What was the reason for KDE to drop pmount and switch
> to hal callouts ?

For the record, we recently had the very same problem, so I changed
ubuntu's hal to enable the storage scripts again, and patched them to
use pmount. So we get the best of both worlds: the rigid pmount policy
checks, and the rather convenient hal interface, which has already
become a standard interface in both KDE and gnome-volume-manager. 

FYI I attach the relevant bzr diffs (sorry, a bit messy).

Martin

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?

[hal.pmount-scripts.diff (text/plain, attachment)]

[hal.pmount-scripts.2.diff (text/plain, attachment)]

[hal.pmount-scripts.3.diff (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #47 received at 377689@bugs.debian.org (full text, mbox, reply):

From: Christopher Martin <chrsmrtn@gmail.com>

To: 377689@bugs.debian.org

Cc: Martin Pitt <mpitt@debian.org>

Subject: Re: Bug#377689: HAL policy breaks mounting for next KDE

Date: Thu, 10 Aug 2006 20:20:42 -0400

On Tuesday 08 August 2006 18:09, Martin Pitt wrote:
> Sjoerd Simons [2006-08-08 22:23 +0200]:
> > The problem with the fix is that some parts of debian will use
> > pmount and other part hal callouts, while i would prefer that all
> > desktops use the same way of mounting removable media. What was the
> > reason for KDE to drop pmount and switch to hal callouts ?
>
> For the record, we recently had the very same problem, so I changed
> ubuntu's hal to enable the storage scripts again, and patched them to
> use pmount. So we get the best of both worlds: the rigid pmount
> policy checks, and the rather convenient hal interface, which has
> already become a standard interface in both KDE and
> gnome-volume-manager.
>
> FYI I attach the relevant bzr diffs (sorry, a bit messy).

This sounds perfect, though I haven't yet had time to test it. Sjoerd, 
any thoughts?

Cheers,
Christopher Martin

Message #52 received at 377689@bugs.debian.org (full text, mbox, reply):

From: sjoerd@spring.luon.net (Sjoerd Simons)

To: Christopher Martin <chrsmrtn@debian.org>, 377689@bugs.debian.org

Cc: Martin Pitt <mpitt@debian.org>, control@bugs.debian.org

Subject: Re: Bug#377689: HAL policy breaks mounting for next KDE

Date: Fri, 11 Aug 2006 10:19:08 +0200

[Message part 1 (text/plain, inline)]

tags 377689 +pending
thanks,

On Thu, Aug 10, 2006 at 08:20:42PM -0400, Christopher Martin wrote:
> On Tuesday 08 August 2006 18:09, Martin Pitt wrote:
> > Sjoerd Simons [2006-08-08 22:23 +0200]:
> > > The problem with the fix is that some parts of debian will use
> > > pmount and other part hal callouts, while i would prefer that all
> > > desktops use the same way of mounting removable media. What was the
> > > reason for KDE to drop pmount and switch to hal callouts ?
> >
> > For the record, we recently had the very same problem, so I changed
> > ubuntu's hal to enable the storage scripts again, and patched them to
> > use pmount. So we get the best of both worlds: the rigid pmount
> > policy checks, and the rather convenient hal interface, which has
> > already become a standard interface in both KDE and
> > gnome-volume-manager.
> >
> > FYI I attach the relevant bzr diffs (sorry, a bit messy).
> 
> This sounds perfect, though I haven't yet had time to test it. Sjoerd, 
> any thoughts?

I talked to martin yesterday evening. And it indeed seems to be a sane thing to
do. I'll probably integrate this either sunday evening or at the beginning of
next week (Working today, gone for the weekend). Testing is ofcourse
appreciated (especially if encrypted luks volumes work)

  Sjoerd
-- 
All syllogisms have three parts, therefore this is not a syllogism.

[signature.asc (application/pgp-signature, inline)]

Message #59 received at 377689-close@bugs.debian.org (full text, mbox, reply):

From: Sjoerd Simons <sjoerd@debian.org>

To: 377689-close@bugs.debian.org

Subject: Bug#377689: fixed in hal 0.5.7.1-1

Date: Tue, 15 Aug 2006 14:32:05 -0700

Source: hal
Source-Version: 0.5.7.1-1

We believe that the bug you reported is fixed in the latest version of
hal, which is due to be installed in the Debian FTP archive:

hal-device-manager_0.5.7.1-1_all.deb
  to pool/main/h/hal/hal-device-manager_0.5.7.1-1_all.deb
hal-doc_0.5.7.1-1_all.deb
  to pool/main/h/hal/hal-doc_0.5.7.1-1_all.deb
hal_0.5.7.1-1.diff.gz
  to pool/main/h/hal/hal_0.5.7.1-1.diff.gz
hal_0.5.7.1-1.dsc
  to pool/main/h/hal/hal_0.5.7.1-1.dsc
hal_0.5.7.1-1_powerpc.deb
  to pool/main/h/hal/hal_0.5.7.1-1_powerpc.deb
hal_0.5.7.1.orig.tar.gz
  to pool/main/h/hal/hal_0.5.7.1.orig.tar.gz
libhal-dev_0.5.7.1-1_powerpc.deb
  to pool/main/h/hal/libhal-dev_0.5.7.1-1_powerpc.deb
libhal-storage-dev_0.5.7.1-1_powerpc.deb
  to pool/main/h/hal/libhal-storage-dev_0.5.7.1-1_powerpc.deb
libhal-storage1_0.5.7.1-1_powerpc.deb
  to pool/main/h/hal/libhal-storage1_0.5.7.1-1_powerpc.deb
libhal1_0.5.7.1-1_powerpc.deb
  to pool/main/h/hal/libhal1_0.5.7.1-1_powerpc.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 377689@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sjoerd Simons <sjoerd@debian.org> (supplier of updated hal package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 15 Aug 2006 15:45:35 +0200
Source: hal
Binary: libhal-dev libhal-storage1 hal-doc libhal-storage-dev hal libhal1 hal-device-manager
Architecture: source powerpc all
Version: 0.5.7.1-1
Distribution: unstable
Urgency: low
Maintainer: Sjoerd Simons <sjoerd@debian.org>
Changed-By: Sjoerd Simons <sjoerd@debian.org>
Description: 
 hal        - Hardware Abstraction Layer
 hal-device-manager - Hardware Abstraction Layer user interface
 hal-doc    - Hardware Abstraction Layer
 libhal-dev - Hardware Abstraction Layer - development files
 libhal-storage-dev - Hardware Abstraction Layer - development files
 libhal-storage1 - Hardware Abstraction Layer - shared library for storage devices
 libhal1    - Hardware Abstraction Layer - shared library
Closes: 361785 366008 375143 375144 377689 381708 382183
Changes: 
 hal (0.5.7.1-1) unstable; urgency=low
 .
   [ Sjoerd Simons ]
   * New upstream release
   * debian/hal.postinst,debian/hal.postrm,debian/rules: Rename the hal daemon
     user to haldaemon (was hal)
   * debian/hal.postinst: Created the plugdev system group if it doesn't exist
   * debian/hal.links: Change the udev rules.d link from 050_hal-plugdev.rules
     to z99_hal.rules to ensure hal gets its data after all the udev magic.
   * debian/patches/09_sony_brightness.patch:
     - Apply trivial upstream patch to fix LCD brightness setting on Sony
       laptops.
     - From the ubuntu hal package which took it from upstream, thanks to Paolo
       Borelli
   * debian/patches/12_refresh_acpi_states.patch:
     - Added. refresh ACPI events after suspend/hibernate
     - From the ubuntu hal package, patch created by Paul Sladen based on
       upstream CVS.
   * debian/patches/14_probe_volume_invalidlabel.patch
     - Added. Don't try to fix device labels with invalid UTF-8 characters if
       more than 20% of the characters is invalid.  This avoids totally
       unintelligible labels while still preserving only mildly damaged ones.
     - From the ubuntu hal package, patch created by Martin Pitt
   * debian/patches/15_mount_scripts_pmount.patch:
     - Change mount/umount scripts to call pmount-hal/pumount as the
       destination user instead of mount/umount as root. This way, we do not
       have to rely on hal properties for sanity checking, which are unreliable
       in hal's current trust model.
     - Change eject script to call eject as the destination user instead of
       root.
     - This change should be completely transparent to the outside world, so
       that KDE and gnome-mount will just work. (Closes: #377689)
     - From the ubuntu hal package, patch created by Martin Pitt.
   * debian/patches/16_dont_stat_autofs.patch:
     - Added. Don't stat autofs filesystems as that will remount.
       (Closes: #361785) (From upstream git)
   * debian/patches/17_fix_dbus_090_build.patch:
     - Added. Fix build with dbus >= 0.90 (From upstream git)
   * debian/patches/18_hald_runner_fd_leak.patch
     - Added. Fix fd leak in hald-runner. Patch by Mike Hommey (Closes: #375143)
   * debian/patches/debian/patches/19_sonypi_support.patch:
     - Added. Support sonypi using laptops (Closes: #375144) (From upstream git)
   * debian/patches/07_suspend2.patch:
     - Updated. Don't try to use suspend2 to suspend a pmu machine, which can
     crash the machine. (Closes: #366008)
   * debian/patches/20_uswsusp.patch:
     - Added. Use uswsusp for suspend and hibernation if available. Patch by
     Tim Dijkstra. (Closes: #382183)
   * debian/patches/21_acpi_support.patch:
     - Added. Use acpi-support for suspend and hibernation if available.
     (Closes: #381708)
 .
   [ Sebastian Dröge  ]
   * debian/pycompat,
     debian/control,
     debian/rules:
     + update to the new Python Policy
   * debian/control:
     + Bump Standards-Version to 3.7.2
     + Add myself to Uploaders
Files: 
 78ec4de0c26959b41451f1aa129f7938 958 admin optional hal_0.5.7.1-1.dsc
 dcc19f23deb59fddca7c9804f5a8cc32 1498909 admin optional hal_0.5.7.1.orig.tar.gz
 e6cb0bf273efc761dc29fd9cf072e7b7 49434 admin optional hal_0.5.7.1-1.diff.gz
 9567ddbe53cf01c9e8e03130dbc18251 193506 admin optional hal-device-manager_0.5.7.1-1_all.deb
 deebb9f568e29e8a53aac704106b1486 269992 doc optional hal-doc_0.5.7.1-1_all.deb
 bfa15108875e674dafaa3b944dc022e0 369874 admin optional hal_0.5.7.1-1_powerpc.deb
 efea1bbda3341956feac0d2226fc85eb 150960 libs optional libhal1_0.5.7.1-1_powerpc.deb
 79fcfc332d1b2418023eed7e194c0121 152690 libs optional libhal-storage1_0.5.7.1-1_powerpc.deb
 8ca22d1df2a8cd0a9d079c88aaec943d 156202 libdevel optional libhal-dev_0.5.7.1-1_powerpc.deb
 67030968c4be86f06d20e99fcf193328 154448 libdevel optional libhal-storage-dev_0.5.7.1-1_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFE4h8bgTd+SodosdIRAnxLAJ963/615hP5P68GJTdR4uvOvRJSvQCcDmZW
JlKzBzYzfJbkJN/qwOp1xfA=
=TM7P
-----END PGP SIGNATURE-----

Message #64 received at 377689@bugs.debian.org (full text, mbox, reply):

From: Jean-Christophe Dubacq <jcdubacq1@free.fr>

To: debian-kde@lists.debian.org

Subject: Re: Cannot mount usb key (and I read the archives)

Date: Tue, 29 Aug 2006 15:49:00 +0200

On Tue, Aug 29, 2006 at 02:27:37PM +0200, Jean-Christophe Dubacq wrote:
> Hello,
> 
> I am suffering from exactly the same symptoms as described in bug
> #377689: when inserting a usb key, I get the "A security policy in place
> prevents this sender from sending this message to this recipient, see
> message bus configuration file (rejected message had interface
> org.freedesktop.Hal.Device.Volume member Mount error name "(unset)"
> destination "org.freedesktop.Hal") ".
> 
> However my /etc/dbus-1/system.d/hal.conf is as the default in hal
> 0.5.7.1-1 (I have an unstable up-to-date from this morning, 29th of
> August, so 14 days after the bug has been fixed) (see at the end)
> 
> My kde version is (for kdebase-kio-plugins) 4:3.5.4-2.
> 
> The device is correctly created by udev. Under gnome, the window pops up
> with no problems. I tried with several brands of usb keys.
> The "use hal subsystem" in kontrol-center is enabled (but grayed out,
> like "enabled and not disableable").
> 
> pmount invoked on the device just works fine.
> 
> Any idea ?

After further investigation it seems that adding myself to the plugdev
group in /etc/group works, but using the facility of
/etc/security/group.conf :

gdm;*;*;Al0000-2400;cdrom, audio, video, hal, plugdev, users, fuse,
scanner, floppy, console
login;*;*;Al0000-2400;cdrom, audio, video, hal, plugdev, users, fuse,
scanner, floppy, console
ssh;*;*;Al0000-2400;users, fuse

which yields correcly the plugdev and others groups in the terminal when
typing "groups", does not work.

I presume that this is because of the "slave" structure of KDE.

I really would like to know what are the precise messages sent by KDE,
and by which user/group combination.

However, I am sorry to say that 377689 is not fixed, but the fault may
not be in hal anymore.

Or is the /etc/security/groups.conf not supported?

Message #69 received at 377689@bugs.debian.org (full text, mbox, reply):

From: Jean-Christophe Dubacq <jcdubacq1@free.fr>

To: debian-kde@lists.debian.org

Cc: 377689@bug.debian.org

Subject: Re: Cannot mount usb key (and I read the archives)

Date: Wed, 30 Aug 2006 12:06:04 +0200

On Tue, Aug 29, 2006 at 02:27:37PM +0200, Jean-Christophe Dubacq wrote:
> Hello,
> 
> I am suffering from exactly the same symptoms as described in bug
> #377689: when inserting a usb key, I get the "A security policy in place
> prevents this sender from sending this message to this recipient, see
> message bus configuration file (rejected message had interface
> org.freedesktop.Hal.Device.Volume member Mount error name "(unset)"
> destination "org.freedesktop.Hal") ".

I must give a few precisions here:
- I am using hal 0.5.7.1-1 (which includes the fix mentioned in 377689)
- I do not doubt that this works for people : I have tested, and it
  works when my user is added to group plugdev via /etc/group, not when
  my user is granted plugdev group through /etc/security/group.conf

-- 
JCD

Message #70 received at 377689-done@bugs.debian.org (full text, mbox, reply):

On Wed, Aug 30, 2006 at 12:06:04PM +0200, Jean-Christophe Dubacq wrote:
> I must give a few precisions here:
> - I am using hal 0.5.7.1-1 (which includes the fix mentioned in 377689)
> - I do not doubt that this works for people : I have tested, and it
>   works when my user is added to group plugdev via /etc/group, not when
>   my user is granted plugdev group through /etc/security/group.conf

This is because dbus checks the groups of the user as is provided by the
adminstrative database (/etc/groups if you use normal files), not the groups a
user has in the session that sends the request. So what your trying to do
unfortunately doesn't work this way for hal callouts.

If you only want users who are currently at the foreground console to mount
things then libpam-foreground would be a possible solution. But dbus needs
support for that, which it currently doesn't have.

I'm closing this bug, as it's not a hal problem. And dbus can't be fixed to
support your setup. A possible follow-up would be to file a wishlist bug on
dbus to integrate libpam-foreground support. But i'm not that eager to do that
as libpam-foreground currently doesn't have a maintainer in debian...

  Sjoerd
-- 
My religion consists of a humble admiration of the illimitable superior
spirit who reveals himself in the slight details we are able to perceive
with our frail and feeble mind.
		-- Albert Einstein

Message #71 received at 377689-done@bugs.debian.org (full text, mbox, reply):

From: Jean-Christophe Dubacq <jcdubacq1@free.fr>

To: sjoerd@spring.luon.net (Sjoerd Simons)

Cc: debian-kde@lists.debian.org, 377689-done@bugs.debian.org

Subject: Re: Bug#377689: Cannot mount usb key (and I read the archives)

Date: Tue, 5 Sep 2006 07:25:57 +0200

Le 4 sept. 06 à 21:49, Sjoerd Simons a écrit :

> This is because dbus checks the groups of the user as is provided  
> by the
> adminstrative database (/etc/groups if you use normal files), not  
> the groups a
> user has in the session that sends the request. So what your trying  
> to do
> unfortunately doesn't work this way for hal callouts.

I do not understand, because Gnome manages to do it.

And it should at least be noted somewhere in a README, maybe in dbus  
or else, that /etc/security/group.conf is not supported by dbus. If I  
understand correctly, this is because dbus is a system-wide daemon  
and has no access to "the user in the session" (due to its  
asynchronous nature, it is not inheriting anything from the process  
that issues the request), so I concede that it would be a bit  
difficult (read "non-natural") to have this setup working. But I'd  
really would like this to be noted in either dbus, hal, or wherever  
the plugdev requirement is noted.

Thanks for finding the culprit anyway.
-- 
JCD

Message #72 received at 377689-done@bugs.debian.org (full text, mbox, reply):

From: Sjoerd Simons <sjoerd@spring.luon.net>

To: Jean-Christophe Dubacq <jcdubacq1@free.fr>

Cc: debian-kde@lists.debian.org, 377689-done@bugs.debian.org

Subject: Re: Bug#377689: Cannot mount usb key (and I read the archives)

Date: Tue, 5 Sep 2006 08:03:28 +0200

On Tue, Sep 05, 2006 at 07:25:57AM +0200, Jean-Christophe Dubacq wrote:
> Le 4 sept. 06 à 21:49, Sjoerd Simons a écrit :
> 
> >This is because dbus checks the groups of the user as is provided  
> >by the
> >adminstrative database (/etc/groups if you use normal files), not  
> >the groups a
> >user has in the session that sends the request. So what your trying  
> >to do
> >unfortunately doesn't work this way for hal callouts.
> 
> I do not understand, because Gnome manages to do it.

The difference is that debians gnome-volume-manager calls pmount, which runs in
your session and checks the groups of the caller. As soon als
gnome-volume-manager in debian shifts to the hal callouts it will fail too.
 
> And it should at least be noted somewhere in a README, maybe in dbus  
> or else, that /etc/security/group.conf is not supported by dbus. If I  
> understand correctly, this is because dbus is a system-wide daemon  
> and has no access to "the user in the session" (due to its  
> asynchronous nature, it is not inheriting anything from the process  
> that issues the request), so I concede that it would be a bit  
> difficult (read "non-natural") to have this setup working. 

Correct.

> But I'd  really would like this to be noted in either dbus, hal, or wherever
> the plugdev requirement is noted.

I'll add a note in hal's README. I don't know if the KDE part that does the
mounting has some info about the plugdev group, but it would be nice to add
some info about this there too.

  Sjoerd
-- 
It's hard to think of you as the end result of millions of years of evolution.

Message #77 received at 377689@bugs.debian.org (full text, mbox, reply):

From: Pedro Celestino dos Reis Rodrigues <reis@fc.ul.pt>

To: 377689@bugs.debian.org

Subject: HAL policy breaks mounting for next KDE

Date: Fri, 17 Nov 2006 20:27:06 +0000

Hi

And what do you think about hal daemon doing a fake login to the user (through 
pam) and get the id information there.

This provides an uniform way of knowing about user group ownership no mather 
pam is configured.

This is from a desperate guy trying to put 800 user working with plugdev over 
a 50 machines cluster.
Loosing /etc/security/group.conf and pam_group capability, the only chance is 
changing 'deny' to 'allow' for the 'Device.Volume' entries in the '<policy 
context="default">' section or, even worst, have a group with 800 users in 
the ldap database and tweaking /etc/groups in every machine to remove 
plugdev.

Thanks for any help
-- 
_____________________________________________________________
Pedro Celestino dos Reis Rodrigues
Departamento de Química e Bioquímica
Faculdade de Ciências da Universidade de Lisboa
Tel: 21750000-28619

Message #82 received at 377689@bugs.debian.org (full text, mbox, reply):

From: Dean Montgomery <dmonty@sd73.bc.ca>

To: 377689@bugs.debian.org

Subject: HAL policy breaks mounting for next KDE

Date: Mon, 4 Dec 2006 16:38:42 -0800

Our Schools need /etc/security/group.conf and pam_group to work with dbus/hal!

NIS has limitations to the number of users in a group.  It is not possible to 
add every user to the plugdev group.  

Message #87 received at 377689@bugs.debian.org (full text, mbox, reply):

From: Dean Montgomery <dmonty@sd73.bc.ca>

To: 377689@bugs.debian.org

Subject: HAL policy breaks mounting for next KDE

Date: Wed, 6 Dec 2006 16:59:01 -0800

> Our Schools need /etc/security/group.conf and pam_group to
> work with dbus/hal! 
>
> NIS has limitations to the number of users in a group.
> It is not possible to add every user to the plugdev group.

In our schools every user's primary group is either "students" or "teachers", 
so I was able to fix this by adding the following 
to /etc/dbus-1/system.d/hal.conf

  <policy group="teachers">
    <allow send_interface="org.freedesktop.Hal.Device.Volume"/>
    <allow send_interface="org.freedesktop.Hal.Device.Volume.Crypto"/>
  </policy>
  <policy group="students">
    <allow send_interface="org.freedesktop.Hal.Device.Volume"/>
    <allow send_interface="org.freedesktop.Hal.Device.Volume.Crypto"/>
  </policy>

This will work with the NIS group size limitations.

I did not have time to figure out how to use "pam_console" or "at_console" or 
study all of the dbus docs.

Send a report that this bug log contains spam.