[GTALUG] Adding all users to the "disk" group: bad idea, or terrible idea?
Lennart Sorensen
lsorense at csclub.uwaterloo.ca
Tue Feb 18 11:43:26 EST 2020
On Mon, Feb 17, 2020 at 04:28:52PM -0500, Stewart C. Russell via talk wrote:
> So I'm working with a developer making a simple cross-platform graphical
> program to write Raspberry Pi OS images to SD card. This is meant for
> beginners to use. The developer is adamant that their program doesn't need
> to run under 'sudo' but that every user should be added to the disk group
> instead.
>
> This means that every user can write directly to system disk devices at any
> time. The Debian-based systems I use don't add regular users to "disk". Is
> it reasonable/common for regular users to be set up this way?
>
> cheers
>
> Stewart $(export HAVE_ACCIDENTALLY_OVERWRITTEN_ROOT=1) Russell
Certainly Debian says:
"The group disk can be very dangerous, since hard drives in /dev/sd*
and /dev/hd* can be read and written bypassing any file system and any
partition, allowing a normal user to disclose, alter and destroy both
the partitions and the data of such drives without root privileges. Users
should never belong to this group. "
Safest option I can think of would be to create a new group for usb flash
drives, and then create a new udev rule to make usb flash drives belong to
that group instead of the disk group, and then add the user to that group.
On a typical linux system though, there is no safe way to write to raw
usb drives. Anything that allows it means you are root.
In the past (like 4 or 5 years ago) Debian used to use the 'floppy'
group for usb media, but they no longer do.
But if you don't want to mess with udev rules, using sudo seems the
sanest method. Adding normal users to the disk group is obviously not
the solutuion.
--
Len Sorensen
More information about the talk
mailing list