Sunday, January 22, 2006

HAL, on the wrong way?!

In the last time, the HAL development is on a unclear way. Is HAL a Hardware Abstraction Layer or a 'All-in-one-big-black-hole'? It's not only the discussion on the HAL list about implement power management related active code (e.g. set/control cpufreq) which give me the impression that the project is on a wrong way.

Currently there are several people which try to implement all things in HAL only because they will not (or not be able to) implement their needed things in a clean, small and effective programm or daemon - simply in the UNIX way.

The discussion between the g-p-m maintainer and other pm-related people (including the powersave developers) is only one example for this. Instead of develop a powermanagement daemon with a DBUS interface or to define a DBUS interface for all pm-daemons or much more easier: use a existing daemon, they implement parts of this in HAL (as e.g. calls for suspend/standby/set brightness ...) - this is not a solution for anything. An other example is adding methodes for reboot and shutdown in HAL. Now we have one more place (HAL dbus configuration) where we need to change settings if we want to disallow the user to shutdown the machine (as e.g. on SLES/NLD). Thanks!

But the screwiest idea is to add Format() and PartitionDisk() to HAL to allow unprivileged users to format volumes and to partition disks. There are good reasons why this is only allowed
privileged users. You can't allow a unprivileged user to format a device which he not own. You can't as user delete/access files on a device you not own, but you can format the disk? This is not only screwy, this is really stupid and break all exstining securtity and permission concepts.

I can understand that there are use-cases where the user would be able to format a floppy (also if I think floppys are obsolete ... we should drop support floppydisks ;-) ) or his FAT usbstick without root-password, but how often is this needed? Once per month or week? Sorry, but in this cases it's o.k. to use sudo/su or a solution like YaST.

If we get such bypasses in HAL, and allow everything to everyone, only because some people think "input root password is extremely unintuitive and user don't grok it", then we could also set all permissons to 777, drop HAL and all security concepts. In this case, I wait for the first linux-viruses which use HAL methodes to format your disk without need root permissions (maybe only because the HAL dbus config is not aligned on the environment). Windows lets greet and if it's in HAL it is also used by someone.

I would suggest: Think more about sense and nonsense before implement such (unneeded) security breaking features and work on really important things as e.g. needed hardware abstraction, ..., stability and speed of HAL.

3 comments:

James Ots said...

Thinking about it, a user should be able to do what they like to floppy disks they have inserted, and USB devices they have attached. Is there some way to tell linux which devices they should have full permission on when they log in - maybe by knowing where their terminal is and what connections they have available or something? Don't know what this has to do about HAL because I know very little about HAL, but I thought about it when reading your blog so I thought I'd jot it down before I forgot!

Danny said...

As I wrote, I also think this is maybe useful for the user and we could allow this for devices as e.g. floppy and USB sticks. But in case of USB sticks and also USB/Firewire Harddisks you can do this only for VFAT filesystems.

For all other Linux filesystems with real UNIX permissions (user/group rwx) IMO you should not be able to overwrite the filesystem if you not own all files/permissions.

Btw. the problem is IMO you must differ between USB-Harddisk and USB-Stick and this is currently not possible. The problem is, you get no information from the device and you can't say all over 1 or 2 GB is a harddisk, because there are currently IMO sticks with max. 16 GB possible.

IMO one real problem is:
1.) that you add with HAL a new permission layer over the existing one and at least you must handle/admin two instead of one policy. This results in more work for the admin and one more bug resource
2.) with the first point you get different settings between a user on console and on desktop, because HAL not set the console settings.

IMO this is not the best way, but the time will show it.

Michael said...

I think that there is a certain historical confusion here. Originally, mounting was designed for extending the internal file system of multiuser machines, and was obviously a root-only affair. It was later extended to deal with removable media as well, which is actually a rather different affair. Surely, a user should be allowed to mount, unmount, format, whatever their own media - but permissions on mounted volumes should be restricted to ones the user is allowed to create. I.e. a root-owned file on an ext2 formatted floppy should be introduced into the system as owned by that user, not as root. Surely external media is a transport media, and the user should have full control over it. On the other hand, if a systems /home is kept on a usb hard drive, it should need to be mounted as root.