3

My installation of CentOS 6.5 has stopped auto-mounting DVDs in KDE (default) X Window desktop environment (e.g. with all the KDE helper functions). Trying to troubleshoot this unexpected change in DE operations, I looked at:

  • /etc/fstab
  • /etc/group

I didn't notice anything had changed. Reading the man page for mount, I added a new line to fstab:

/dev/sr0   /media/dvd   iso9600   ro,users,noauto,unhide

Then, I added my non-root user (chris) to group users; however, mount continues to be accessible only to root:

$ mount -a
mount: only root can do that
$ mount /dev/sr0 /media/dvd
mount: only root can do that
$ mount /dev/sr0 /media/dvd
mount: only root can do that

The only command which is working right now is:

$ sudo mount /dev/sr0 /media/dvd

What are all the working pieces to granting users permission to mount dvds? BONUS, Why would KDE suddenly stop mounting DVDs?

Gilles 'SO- stop being evil'
  • 829,060
xtian
  • 583

3 Answers3

1
$ mount -a
mount: only root can do that

This command tries to mount all entries in /etc/fstab, and since not all of them have the user/users option, that will not be possible for a user that has no admin privileges.

$ mount /dev/sr0 /media/dvd
mount: only root can do that

This specifies both the device to be mounted and the mountpoint, effectively not requiring /etc/fstab at all (as the filesystem-specific default mount options will be assumed if you don't specify them on the command line, and filesystem type autodetection will be performed if you don't specify the filesystem type). This is powerful enough to trivially open all kinds of security holes, and so non-root users are not authorized to use this form of the mount command at all.

When using mount as a non-root user to mount an admin-prepared /etc/fstab entry that has the user/users mount option, you must specify either only the device or only the mountpoint. This will make the mount command look up the missing parts of the full command line in /etc/fstab, and so the command will see that a non-root user has been authorized to perform that specific mount.

So either of these mount commands and only these would allow the non-root user to mount the CD/DVD, given the /etc/fstab line specified in the OP:

mount /dev/sr0

or

mount /media/dvd

When used by a non-root user, the mount command will also check that the user will be able to access both the device and the mountpoint, and will reject the command if this is not true. Often the login session set-up (usually in the form of PAM modules) grants the user access to removable devices when the user is logging in locally. This can be done either by granting a locally-logged-in user some extra group memberships (that fit in with the device permissions configured by udev rules), or on modern Linux distributions, by having the devices tagged in udev with a TAG+="uaccess", which will trigger the session setup to add an ACL to those devices on a local login, and to remove it on logout.

If a non-root user needs to be authorized to mount removable devices over a SSH session or other remote login, many distributions provide pre-configured user groups for the purpose (e.g. the cdrom or plugdev groups).

GUI environments usually have their own mechanisms for allowing users to mount removable media, with their own restrictions. At the time of this writing, udisksd is a commonly-used system-level component for this. It communicates over the system D-Bus with the udisksctl command-line tool or any number of GUI file managers and removable media access tools.

telcoM
  • 96,466
0

I'm not sure your question has a clean answer because of the way mounting impacts the system. I found this thread :

Why does mount require root privileges?

it mentions the way mounting can be used to gain root access to a system, thus it's generally locked down to the root user - so it's not really a cut and dry thing it would seem. However, I'm sure if you throw caution to the wind, you could perform some less-than-best-practices that would allow you to execute mount from a 'user' level user.

I think the answer you're looking for is here:

Allow non-superusers to mount any filesystem

Community
  • 1
Volumetricsteve
  • 163
  • This seems an example where logging in as root is necessary. The second link seems really hacky. I'm cataloging my DVD's and files and some files are owned by root or other random (like nx). Disks were either completely inaccessible or worse--partially accessible (I only just noticed some rsync'd directories skipped because they were from a portable device which has every file owned by root). – xtian May 10 '15 at 14:28
0

A few points here::

  1. First, remove noauto, because that would prevent mount -a from working.

  2. Then also check if the "T" bit is set on /media/dvd, such as

    chmod +t /media/dvd

This will set the sticky bit on the dvd directory so that anybody can write to it and own and be able to remove modify only his/her files directories.

  1. In addition, CAP_SYS_ADMIN Linux capability is required to mount.

For further information on this see this:

How do you add `cap_sys_admin` permissions to user in CentOS 7?

  1. Change "users" to "user"

That should solve your issues.

mkzia
  • 39
  • (2) Can you explain what the t mode bit does in this context; i.e., why it is important? (3) What does “CAP_SYS_ADMIN Linux capability is required to mount” mean, in terms that are meaningful to the user? … … … … … … … … … … Please do not respond in comments; [edit] your answer to make it clearer and more complete. – Scott - Слава Україні Jun 08 '19 at 16:51