udevil.conf

1. ##############################################################################
2. #
3. # udevil configuration file /etc/udevil/udevil.conf
4. #
5. # This file controls what devices, networks, and files users may mount and
6. # unmount via udevil (set suid).
7. #
8. # IMPORTANT: IT IS POSSIBLE TO CREATE SERIOUS SECURITY PROBLEMS IF THIS FILE
9. # IS MISCONFIGURED - EDIT WITH CARE
10. #
11. # Note: For greater control for specific users, including root, copy this
12. # file to /etc/udevil/udevil-user-USERNAME.conf replacing USERNAME with the
13. # desired username (eg /etc/udevil/udevil-user-jim.conf).
14. #
15. # Format:
16. # OPTION = VALUE[, VALUE, ...]
17. #
18. # DO NOT USE QUOTES except literally
19. # Lines beginning with # are ignored
20. #
21. ##############################################################################
22.  
23.  
24. # To log all uses of udevil, set log_file to a file path:
25. # log_file = /var/log/udevil.log
26.  
27. # Approximate number of days to retain log entries (0=forever, max=60):
28. log_keep_days = 10
29.  
30.  
31. # allowed_types determines what fstypes can be passed by a user to the u/mount
32. # program, what device filesystems may be un/mounted implicitly, and what
33. # network filesystems may be un/mounted.
34. # It may also include the 'file' keyword, indicating that the user is allowed
35. # to mount files (eg an ISO file). The $KNOWN_FILESYSTEMS variable may
36. # be included to include common local filesystems as well as those listed in
37. # /etc/filesystems and /proc/filesystems.
38. # allowed_types_USERNAME, if present, is used to override allowed_types for
39. # the specific user 'USERNAME'. For example, to allow user 'jim' to mount
40. # only vfat filesystems, add:
41. # allowed_types_jim = vfat
42. # Setting allowed_types = * does NOT allow all types, as this is a security
43. # risk, but does allow all recognized types.
44. # allowed_types = $KNOWN_FILESYSTEMS, file, cifs, smbfs, nfs, curlftpfs, ftpfs, sshfs, tmpfs, ramfs
45. #allowed_types = $KNOWN_FILESYSTEMS, file
46.  
47.  
48. # allowed_users is a list of users permitted to mount and unmount with udevil.
49. # Wildcards (* or ?) may be used in the usernames. To allow all users,
50. # specify "allowed_users=*". UIDs may be included using the form UID=1000.
51. # For example: allowed_users = carl, UID=1000, pre*
52. # Also note that permission to execute udevil may be limited to users belonging
53. # to the group that owns /usr/bin/udevil, such as 'plugdev' or 'storage',
54. # depending on installation.
55. # allowed_users_FSTYPE, if present, is used to override allowed_users when
56. # mounting or unmounting a specific fstype (eg nfs, ext3, file).
57. # Note that when mounting a file, fstype will always be 'file' regardless of
58. # the internal fstype of the file.
59. # For example, to allow only user 'bob' to mount nfs shares, add:
60. # allowed_users_nfs = bob
61. # The root user is NOT automatically allowed to use udevil in some cases unless
62. # listed here (except for unmounting anything or mounting fstab devices).
63. #allowed_users = *
64.  
65.  
66. # allowed_groups is a list of groups permitted to mount and unmount with
67. # udevil. The user MUST belong to at least one of these groups. Wildcards
68. # or GIDs may NOT be used in group names, but a single * may be used to allow
69. # all groups.
70. # Also note that permission to execute udevil may be limited to users belonging
71. # to the group that owns /usr/bin/udevil, such as 'plugdev' or 'storage',
72. # depending on installation.
73. # allowed_groups_FSTYPE, if present, is used to override allowed_groups when
74. # mounting or unmounting a specific fstype (eg nfs, ext3, file). For example,
75. # to allow only members of the 'network' group to mount smb and nfs shares,
76. # use both of these lines:
77. # allowed_groups_smbfs = network
78. # allowed_groups_nfs = network
79. # The root user is NOT automatically allowed to use udevil in some cases unless
80. # listed here (except for unmounting anything or mounting fstab devices).
81. #allowed_groups = *
82.  
83.  
84. # allowed_media_dirs specifies the media directories in which user mount points
85. # may be located. The first directory which exists and does not contain a
86. # wildcard will be used as the default media directory (normally /media or
87. # /run/media/$USER).
88. # The $USER variable, if included, will be replaced with the username of the
89. # user running udevil. Wildcards may also be used in any directory EXCEPT the
90. # default. Wildcards will not match a /
91. # allowed_media_dirs_FSTYPE, if present, is used to override allowed_media_dirs
92. # when mounting or unmounting a specific fstype (eg ext2, nfs). For example,
93. # to cause /media/network to be used as the default media directory for
94. # nfs and ftpfs mounts, use these two lines:
95. # allowed_media_dirs_nfs = /media/network, /media, /run/media/$USER
96. # allowed_media_dirs_ftpfs = /media/network, /media, /run/media/$USER
97. # NOTE: If you want only the user who mounted a device to have access to it
98. # and be allowed to unmount it, specify /run/media/$USER as the first
99. # allowed media directory.
100. # IMPORTANT: If an allowed file is mounted to a media directory, the user may
101. # be permitted to unmount its associated loop device even though internal.
102. # INCLUDING /MNT HERE IS NOT RECOMMENDED. ALL ALLOWED MEDIA DIRECTORIES
103. # SHOULD BE OWNED AND WRITABLE ONLY BY ROOT.
104. #allowed_media_dirs = /media, /run/media/$USER
105.  
106.  
107. # allowed_devices is the first criteria for what block devices users may mount
108. # or unmount. If a device is not listed in allowed_devices, it cannot be
109. # un/mounted (unless in fstab). However, even if a device is listed, other
110. # factors may prevent its use. For example, access to system internal devices
111. # will be denied to normal users even if they are included in allowed_devices.
112. # allowed_devices_FSTYPE, if present, is used to override allowed_devices when
113. # mounting or unmounting a specific fstype (eg ext3, ntfs). For example, to
114. # prevent all block devices containing an ext4 filesystem from being
115. # un/mounted use:
116. # allowed_devices_ext4 =
117. # Note: Wildcards may be used, but a wildcard will never match a /, except
118. # for "allowed_devices=*" which allows any device. The recommended setting is
119. # allowed_devices = /dev/*
120. # WARNING: ALLOWING USERS TO MOUNT DEVICES OUTSIDE OF /dev CAN CAUSE SERIOUS
121. # SECURITY PROBLEMS. DO NOT ALLOW DEVICES IN /dev/shm
122. #allowed_devices = /dev/*
123.  
124.  
125. # allowed_internal_devices causes udevil to treat any listed block devices as
126. # removable, thus allowing normal users to un/mount them (providing they are
127. # also listed in allowed_devices).
128. # allowed_internal_devices_FSTYPE, if present, is used to override
129. # allowed_internal_devices when mounting or unmounting a specific fstype
130. # (eg ext3, ntfs). For example, to allow block devices containing a vfat
131. # filesystem to be un/mounted even if they are system internal devices, use:
132. # allowed_internal_devices_vfat = /dev/sdb*
133. # Some removable esata drives look like internal drives to udevil. To avoid
134. # this problem, they can be treated as removable with this setting.
135. # WARNING: SETTING A SYSTEM DEVICE HERE CAN CAUSE SERIOUS SECURITY PROBLEMS.
136. # allowed_internal_devices =
137.  
138.  
139. # allowed_internal_uuids and allowed_internal_uuids_FSTYPE work similarly to
140. # allowed_internal_devices, except that UUIDs are specified instead of devices.
141. # For example, to allow un/mounting of an internal filesystem based on UUID:
142. # allowed_internal_uuids = cc0c4489-8def-1e5b-a304-ab87c3cb626c0
143. # WARNING: SETTING A SYSTEM DEVICE HERE CAN CAUSE SERIOUS SECURITY PROBLEMS.
144. # allowed_internal_uuids =
145.  
146.  
147. # forbidden_devices is used to prevent block devices from being un/mounted
148. # even if other settings would allow them (except devices in fstab).
149. # forbidden_devices_FSTYPE, if present, is used to override
150. # forbidden_devices when mounting or unmounting a specific fstype
151. # (eg ext3, ntfs). For example, to prevent device /dev/sdd1 from being
152. # mounted when it contains an ntfs filesystem, use:
153. # forbidden_devices_ntfs = /dev/sdd1
154. # NOTE: device node paths are canonicalized before being tested, so forbidding
155. # a link to a device will have no effect.
156. forbidden_devices = *
157.  
158.  
159. # allowed_networks determines what hosts may be un/mounted by udevil users when
160. # using nfs, cifs, smbfs, curlftpfs, ftpfs, or sshfs. Hosts may be specified
161. # using a hostname (eg myserver.com) or IP address (192.168.1.100).
162. # Wildcards may be used in hostnames and IP addresses, but CIDR notation
163. # (192.168.1.0/16) is NOT supported. IP v6 is supported. For example:
164. # allowed_networks = 127.0.0.1, 192.168.1.*, 10.0.0.*, localmachine, *.okay.com
165. # Or, to prevent un/mounting of any network shares, set:
166. # allowed_networks =
167. # allowed_networks_FSTYPE, if present, is used to override allowed_networks
168. # when mounting or unmounting a specific network fstype (eg nfs, cifs, sshfs,
169. # curlftpfs). For example, to limit nfs and samba shares to only local
170. # networks, use these two lines:
171. # allowed_networks_nfs = 192.168.1.*, 10.0.0.*
172. # allowed_networks_cifs = 192.168.1.*, 10.0.0.*
173. #allowed_networks = *
174.  
175.  
176. # forbidden_networks and forbidden_networks_FSTYPE are used to specify networks
177. # that are never allowed, even if other settings allow them (except fstab).
178. # NO REVERSE LOOKUP IS PERFORMED, so including bad.com will only have an effect
179. # if the user uses that hostname. IP lookup is always performed, so forbidding
180. # an IP address will also forbid all corresponding hostnames.
181. forbidden_networks = *
182.  
183.  
184. # allowed_files is used to determine what files in what directories may be
185. # un/mounted. A user must also have read permission on a file to mount it.
186. # Note: Wildcards may be used, but a wildcard will never match a /, except
187. # for "allowed_files=*" which allows any file. For example, to allow only
188. # files in the /share directory to be mounted, use:
189. # allowed_files = /share/*
190. # NOTE: Specifying allowed_files_FSTYPE will NOT work because the fstype of
191. # files is always 'file'.
192. #allowed_files = *
193.  
194.  
195. # forbidden_files is used to specify files that are never allowed, even if
196. # other settings allow them (except fstab). Specify a full path.
197. # Note: Wildcards may be used, but a wildcard will never match a /, except
198. # for "forbidden_files = *".
199. # NOTE: file paths are canonicalized before being tested, so forbidding
200. # a link to a file will have no effect.
201. forbidden_files = *
202.  
203.  
204. # default_options specifies what options are always included when performing
205. # a mount, in addition to any options the user may specify.
206. # Note: When a device is present in /etc/fstab, and the user does not specify
207. # a mount point, the device is mounted with normal user permissions using
208. # the fstab entry, without these options.
209. # default_options_FSTYPE, if present, is used to override default_options
210. # when mounting a specific fstype (eg ext2, nfs).
211. # The variables $USER, $UID, and $GID are changed to the user's username, UID,
212. # and GID.
213. # FOR GOOD SECURITY, default_options SHOULD ALWAYS INCLUDE: nosuid,noexec,nodev
214. # WARNING: OPTIONS PRESENT OR MISSING CAN CAUSE SERIOUS SECURITY PROBLEMS.
215. default_options = nosuid, noexec, nodev, noatime
216. default_options_file = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID, ro
217. # mount iso9660 with 'ro' to prevent mount read-only warning
218. default_options_iso9660 = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID, ro, utf8
219. default_options_udf = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID
220. default_options_vfat = nosuid, noexec, nodev, noatime, fmask=0022, dmask=0022, uid=$UID, gid=$GID, utf8
221. default_options_msdos = nosuid, noexec, nodev, noatime, fmask=0022, dmask=0022, uid=$UID, gid=$GID
222. default_options_umsdos = nosuid, noexec, nodev, noatime, fmask=0022, dmask=0022, uid=$UID, gid=$GID
223. default_options_ntfs = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID, utf8
224. default_options_cifs = nosuid, noexec, nodev, uid=$UID, gid=$GID
225. default_options_smbfs = nosuid, noexec, nodev, uid=$UID, gid=$GID
226. default_options_sshfs = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID, nonempty, allow_other
227. default_options_curlftpfs = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID, nonempty, allow_other
228. default_options_ftpfs = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID
229. default_options_tmpfs = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID
230. default_options_ramfs = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID
231.  
232.  
233. # allowed_options determines all options that a user may specify when mounting.
234. # All the options used in default_options above must be included here too, or
235. # they will be rejected. If the user attempts to use an option not included
236. # here, an error will result. Wildcards may be used.
237. # allowed_options_FSTYPE, if present, is used to override allowed_options
238. # when mounting a specific fstype (eg ext2, nfs).
239. # The variables $USER, $UID, and $GID are changed to the user's username, UID,
240. # and GID.
241. # If you want to forbid remounts, remove 'remount' from here.
242. # WARNING: OPTIONS HERE CAN CAUSE SERIOUS SECURITY PROBLEMS - CHOOSE CAREFULLY
243. allowed_options = nosuid, noexec, nodev, noatime, fmask=0022, dmask=0022, uid=$UID, gid=$GID, ro, rw, sync, flush, iocharset=*, utf8, remount
244. allowed_options_nfs = nosuid, noexec, nodev, noatime, ro, rw, sync, remount, port=*, rsize=*, wsize=*, hard, proto=*, timeo=*, retrans=*
245. allowed_options_cifs = nosuid, noexec, nodev, ro, rw, remount, port=*, user=*, username=*, pass=*, password=*, guest, domain=*, uid=$UID, gid=$GID, credentials=*
246. allowed_options_smbfs = nosuid, noexec, nodev, ro, rw, remount, port=*, user=*, username=*, pass=*, password=*, guest, domain=*, uid=$UID, gid=$GID, credentials=*
247. allowed_options_sshfs = nosuid, noexec, nodev, noatime, ro, rw, uid=$UID, gid=$GID, nonempty, allow_other, idmap=user, BatchMode=yes, port=*
248. allowed_options_curlftpfs = nosuid, noexec, nodev, noatime, ro, rw, uid=$UID, gid=$GID, nonempty, allow_other, user=*
249. allowed_options_ftpfs = nosuid, noexec, nodev, noatime, ro, rw, port=*, user=*, pass=*, ip=*, root=*, uid=$UID, gid=$GID
250.  
251.  
252. # mount_point_mode, if present and set to a non-empty value, will cause udevil
253. # to set the mode (permissions) on the moint point after mounting If not
254. # specified or if left empty, the mode is not changed. Mode must be octal
255. # starting with a zero (0755).
256. # mount_point_mode_FSTYPE, if present, is used to override mount_point_mode
257. # when mounting a specific fstype (eg ext2, nfs).
258. # NOT SETTING A MODE CAN HAVE SECURITY IMPLICATIONS FOR SOME FSTYPES
259. mount_point_mode = 0755
260. # don't set a mode for some types:
261. mount_point_mode_sshfs =
262. mount_point_mode_curlftpfs =
263. mount_point_mode_ftpfs =
264.  
265.  
266. # Use the settings below to change the default locations of programs used by
267. # udevil, or (advanced topic) to redirect commands to your scripts.
268. # When substituting scripts, make sure they are root-owned and accept the
269. # options used by udevil (for example, the mount_program must accept --fake,
270. # -o, -v, and other options valid to mount.)
271. # Be sure to specify the full path and include NO OPTIONS or other arguments.
272. # These programs may also be specified as configure options when building
273. # udevil.
274. # THESE PROGRAMS ARE RUN AS ROOT
275. # mount_program = /bin/mount
276. # umount_program = /bin/umount
277. # losetup_program = /sbin/losetup
278. # setfacl_program = /usr/bin/setfacl
279.  
280.  
281. # validate_exec specifies a program or script which provides additional
282. # validation of a mount or unmount command, beyond the checks performed by
283. # udevil. The program is run as a normal user (if root runs udevil,
284. # validate_exec will NOT be run). The program is NOT run if the user is
285. # mounting a device without root priviledges (a device in fstab).
286. # The program is passed the username, a printable description of what is
287. # happening, and the entire udevil command line as the first three arguments.
288. # The program must return an exit status of 0 to allow the mount or unmount
289. # to proceed. If it returns non-zero, the user will be denied permission.
290. # For example, validate_exec might specify a script which notifies you
291. # of the command being run, or performs additional steps to authenticate the
292. # user.
293. # Specify a full path to the program, with NO options or arguments.
294. # validate_exec =
295.  
296.  
297. # validate_rootexec works similarly to validate_exec, except that the program
298. # is run as root. validate_rootexec will also be run if the root user runs
299. # udevil. If both validate_exec and validate_rootexec are specified,
300. # validate_rootexec will run first, followed by validate_exec.
301. # The program must return an exit status of 0 to allow the mount or unmount
302. # to proceed. If it returns non-zero, the user will be denied permission.
303. # Unless you are familiar with writing root scripts, it is recommended that
304. # rootexec settings NOT be used, as it is easy to inadvertently open exploits.
305. # THIS PROGRAM IS ALWAYS RUN AS ROOT, even if the user running udevil is not.
306. # validate_rootexec =
307.  
308.  
309. # success_exec is run after a successful mount, remount, or unmount. The
310. # program is run as a normal user (if root runs udevil, success_exec
311. # will NOT be run).
312. # The program is passed the username, a printable description of what action
313. # was taken, and the entire udevil command line as the first three arguments.
314. # The program's exit status is ignored.
315. # For example, success_exec might run a script which informs you of what action
316. # was taken, and might perform further actions.
317. # Specify a full path to the program, with NO options or arguments.
318. # success_exec =
319.  
320.  
321. # success_rootexec works similarly to success_exec, except that the program is
322. # run as root. success_rootexec will also be run if the root user runs udevil.
323. # If both success_exec and success_rootexec are specified, success_rootexec
324. # will run first, followed by success_exec.
325. # Unless you are familiar with writing root scripts, it is recommended that
326. # rootexec settings NOT be used, as it is easy to inadvertently open exploits.
327. # THIS PROGRAM IS ALWAYS RUN AS ROOT, even if the user running udevil is not.
328. # success_rootexec =