[gentoo-user] xfce woes

[gentoo-user] xfce woes

[John]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gentoo Lite Users,

I have recently upgraded to xfce 4.8
All seems to be well apart from
a) Normal Users cannot shutdown
b) Normal Users cannot automount using xfce (can through sudo mount).

I have followed xfce guide using use flags as suggested.

Users are in plugdev group
dbus and consolekit are in default runlevel.

I have removed hal (by masking) and makes no difference.

Have tried adding /usr/lib64/xfce4/session/xfsm-shutdown-helper
to sudo but no help there.

Have looked on a few forums and suggested that config file for this
is /etc/dbus.d/system.d/hal.conf. This does have a gentoo section which
looks like it would allow above.

Any suggestions would be appreciated.

I have this issue on 2 machines.


- -- 
John D Maunder
john@articwolf.myzen.co.uk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)

iQEcBAEBAgAGBQJNSa8nAAoJEOuCgqleN2EyeUwH/1Fw2uxm+UdGM9MYP3kOumz5
tPqXemnrAfne41cIslzKbUI11yXrZrFbVAe2cOAsYN4MWIgwzJgh4vwe0vqMadEa
2JmaEEx2mrd7gecTQnv7Qctc7L7PECXt7YKUcwAs7jXZK5AFq4blknqy8ra1gE9o
lyhRh0nJc1fFu6jI1O1tQ2TdeIyi631+qAM8LiM905vY+qGE+L4xmKclC3syMCF8
zPvTyR8J7cqn5E+6T2APoT0EPw2fm0ad8B5awQumL+LA5Uc8eXpKgrPqSmPoAsh4
aEGfH4YAK70Bkz4kVPAxn6IxORjTdR1A068d7CV4M0ujidHF4XCQe7V1FrQ9KV0=
=xut7
-----END PGP SIGNATURE-----

[gentoo-user] Re: xfce woes

[walt]

On 02/02/2011 11:23 AM, John wrote:

> I have recently upgraded to xfce 4.8
> All seems to be well apart from
> a) Normal Users cannot shutdown
> b) Normal Users cannot automount using xfce (can through sudo mount).

I understand very well your frustration because my gnome desktop goes
through periods where those things work, and then for some time they
don't work, etc, ad infinitum.

As much as I like the convenience of automounting as a luser, all of
my bofh instincts cry out that lusers shouldn't even be allowed to log
into my system, much less actually mount(!?!) a filesystem!

This is one of those Windows/convenience versus unix/security things,
I think, but I'm just an amateur bofh.

What do you professional bofhs think?

Re: [gentoo-user] Re: xfce woes

[Alan McKinnon]

Apparently, though unproven, at 00:00 on Thursday 03 February 2011, walt did 
opine thusly:

> On 02/02/2011 11:23 AM, John wrote:
> > I have recently upgraded to xfce 4.8
> > All seems to be well apart from
> > a) Normal Users cannot shutdown
> > b) Normal Users cannot automount using xfce (can through sudo mount).
> 
> I understand very well your frustration because my gnome desktop goes
> through periods where those things work, and then for some time they
> don't work, etc, ad infinitum.
> 
> As much as I like the convenience of automounting as a luser, all of
> my bofh instincts cry out that lusers shouldn't even be allowed to log
> into my system, much less actually mount(!?!) a filesystem!
> 
> This is one of those Windows/convenience versus unix/security things,
> I think, but I'm just an amateur bofh.
> 
> What do you professional bofhs think?

Depends on what the machine is used for.

For a multiuser box, you probably want user to not shutdown/reboot, be able to 
mount removeable media and nfs shares, not mount fixed disks.

For a terminal server serving thin clients, you likely want users to not be 
able to do any of that on the server.

For a single user workstation, the sole user should be able to do all of it.

Perhaps yourself and the maintainer writing the template config disagree on 
the basic purpose of the machine in question.


-- 
alan dot mckinnon at gmail dot com

[gentoo-user] Re: xfce woes

[walt]

On 02/02/2011 09:15 PM, Alan McKinnon wrote:
> Apparently, though unproven, at 00:00 on Thursday 03 February 2011, walt did
> opine thusly:

>> As much as I like the convenience of automounting as a luser, all of
>> my bofh instincts cry out that lusers shouldn't be allowed to
>  mount a filesystem!
>>
>> This is one of those Windows/convenience versus unix/security things,
>> I think, but I'm just an amateur bofh.
>>
>> What do you professional bofhs think?
>
> Depends on what the machine is used for.
>
> For a multiuser box, you probably want user to not shutdown/reboot,

Yes, even I thought of that.  As an amateur, though, I have no idea how many
multi-user machines still exist.

When I was a lad, the campus computer(s) still ran batch jobs submitted on
punch cards.  We had to wait for hours or even the next day to discover a
stupid typo.

Actually, the profs didn't use punchcards, just us peons.  The profs had
dumb terminals so they could log in to the central server -- and sit for
as long as five minutes to discover if the server had crashed, or was
just busy serving the needs of the department chairman's secretary.

Over the years, the frustrations have merely morphed, not vanished :(

> be able to mount removeable media...

That was really what I was asking.  I hear horror stories about employees
plugging usb thumb drives into corporate workstations to steal files, or
maybe infecting the whole network with malware from a "lost" thumb drive
found at a bus stop or a car park.

Re: [gentoo-user] Re: xfce woes

[Alan McKinnon]

Apparently, though unproven, at 00:15 on Friday 04 February 2011, walt did 
opine thusly:

> On 02/02/2011 09:15 PM, Alan McKinnon wrote:
> > Apparently, though unproven, at 00:00 on Thursday 03 February 2011, walt
> > did
> > 
> > opine thusly:
> >> As much as I like the convenience of automounting as a luser, all of
> >> my bofh instincts cry out that lusers shouldn't be allowed to
> >> 
> >  mount a filesystem!
> >  
> >> This is one of those Windows/convenience versus unix/security things,
> >> I think, but I'm just an amateur bofh.
> >> 
> >> What do you professional bofhs think?
> > 
> > Depends on what the machine is used for.
> > 
> > For a multiuser box, you probably want user to not shutdown/reboot,
> 
> Yes, even I thought of that.  As an amateur, though, I have no idea how
> many multi-user machines still exist.

I have more than 120 of them....

> When I was a lad, the campus computer(s) still ran batch jobs submitted on
> punch cards.  We had to wait for hours or even the next day to discover a
> stupid typo.

Punch cards???!!!!????

Piffle. We used *paper tape* :-)

> Actually, the profs didn't use punchcards, just us peons.  The profs had
> dumb terminals so they could log in to the central server -- and sit for
> as long as five minutes to discover if the server had crashed, or was
> just busy serving the needs of the department chairman's secretary.
> 
> Over the years, the frustrations have merely morphed, not vanished :(
> 
> > be able to mount removeable media...
> 
> That was really what I was asking.  I hear horror stories about employees
> plugging usb thumb drives into corporate workstations to steal files, or
> maybe infecting the whole network with malware from a "lost" thumb drive
> found at a bus stop or a car park.


Here's a funny story. It's true, and it's sad, but also macabrely funny.

A penetration testing firm that I know well was commissioned to test the 
external security of a certain enterprise that was obliged to comply with 
stiff legal requirements. This firm does our pentesting too, and they are 
pretty thorough. If you ask them to throw the book at something for testing, 
and pay them enough, they will gladly oblige, and not care too much if this 
embarrasses you

Try as they might, they could not get past this enterprise's border firewalls. 
Nothing showed up as a weakness. They tried and tried and tried and tried ....

Until one day one of their bright spark techies had a brilliant idea. They 
hired a bunch of pretty girls wearing tight skimpy "New! Improved! Check Our 
Promotion!" outfits to stand outside the front door handing out free 
complimentary CDs.

Yes, you guessed it. Within the hour the perimeter firewalls had more holes 
than a Swiss cheese. Somebody paid dearly for that.

-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Re: xfce woes

[Adam Carter]

[-- Attachment #1: Type: text/plain, Size: 529 bytes --]

> Until one day one of their bright spark techies had a brilliant idea. They
> hired a bunch of pretty girls wearing tight skimpy "New! Improved! Check
> Our
> Promotion!" outfits to stand outside the front door handing out free
> complimentary CDs.
>
> Yes, you guessed it. Within the hour the perimeter firewalls had more holes
> than a Swiss cheese. Somebody paid dearly for that.
>
>
That's not new. A similar one i heard of was to leave some USB drives on the
ground in the carpark... or you could use spear phishing emails

[-- Attachment #2: Type: text/html, Size: 742 bytes --]

Re: [gentoo-user] xfce woes

[Fernando Antunes]

[-- Attachment #1: Type: text/plain, Size: 1645 bytes --]

On Wed, Feb 2, 2011 at 5:23 PM, John <john@arcticwolf.myzen.co.uk> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Gentoo Lite Users,
>
> I have recently upgraded to xfce 4.8
> All seems to be well apart from
> a) Normal Users cannot shutdown
>

I resolved this using
exec ck-launch-session startxfce4
to start xfce.



> b) Normal Users cannot automount using xfce (can through sudo mount).
>
> I have followed xfce guide using use flags as suggested.
>
> Users are in plugdev group
> dbus and consolekit are in default runlevel.
>
> I don't have this problem. For me it works fine. Are normal users members
of usb group ?


> I have removed hal (by masking) and makes no difference.
>
> I removed too.


> Have tried adding /usr/lib64/xfce4/session/xfsm-shutdown-helper
> to sudo but no help there.
>
> Have looked on a few forums and suggested that config file for this
> is /etc/dbus.d/system.d/hal.conf. This does have a gentoo section which
> looks like it would allow above.
>
> Any suggestions would be appreciated.
>
> I have this issue on 2 machines.
>
>
> - --
> John D Maunder
> john@articwolf.myzen.co.uk
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.16 (GNU/Linux)
>
> iQEcBAEBAgAGBQJNSa8nAAoJEOuCgqleN2EyeUwH/1Fw2uxm+UdGM9MYP3kOumz5
> tPqXemnrAfne41cIslzKbUI11yXrZrFbVAe2cOAsYN4MWIgwzJgh4vwe0vqMadEa
> 2JmaEEx2mrd7gecTQnv7Qctc7L7PECXt7YKUcwAs7jXZK5AFq4blknqy8ra1gE9o
> lyhRh0nJc1fFu6jI1O1tQ2TdeIyi631+qAM8LiM905vY+qGE+L4xmKclC3syMCF8
> zPvTyR8J7cqn5E+6T2APoT0EPw2fm0ad8B5awQumL+LA5Uc8eXpKgrPqSmPoAsh4
> aEGfH4YAK70Bkz4kVPAxn6IxORjTdR1A068d7CV4M0ujidHF4XCQe7V1FrQ9KV0=
> =xut7
> -----END PGP SIGNATURE-----
>

[-- Attachment #2: Type: text/html, Size: 2734 bytes --]