yigitcolakoglu
/
dotfiles
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
Another copy of my dotfiles. Because I don't completely trust GitHub.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
318 Commits
2 Branches
105 MiB
Tree: 5c3c814099
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '5c3c814099'
${ noResults }
dotfiles/.local/root/udevil.conf

335 lines
18 KiB
Raw Normal View History

Moved root files to .local/share/root
4 years ago
 
  1. ##############################################################################
  2. #
  3. # udevil configuration file    /etc/udevil/udevil.conf
  4. #
  5. # This file controls what devices, networks, and files users may mount and
  6. # unmount via udevil (set suid).
  7. # 
  8. # IMPORTANT:  IT IS POSSIBLE TO CREATE SERIOUS SECURITY PROBLEMS IF THIS FILE
  9. # IS MISCONFIGURED - EDIT WITH CARE
  10. #
  11. # Note:  For greater control for specific users, including root, copy this
  12. # file to /etc/udevil/udevil-user-USERNAME.conf replacing USERNAME with the
  13. # desired username (eg /etc/udevil/udevil-user-jim.conf).
  14. #
  15. # Format:
  16. #   OPTION = VALUE[, VALUE, ...]
  17. #
  18. # DO NOT USE QUOTES except literally
  19. # Lines beginning with # are ignored
  20. #
  21. ##############################################################################
  22. 

  23. 

  24. # To log all uses of udevil, set log_file to a file path:
  25. # log_file = /var/log/udevil.log
  26. 

  27. # Approximate number of days to retain log entries (0=forever, max=60):
  28. log_keep_days = 10
  29. 

  30. 

  31. # allowed_types determines what fstypes can be passed by a user to the u/mount
  32. # program, what device filesystems may be un/mounted implicitly, and what
  33. # network filesystems may be un/mounted.
  34. # It may also include the 'file' keyword, indicating that the user is allowed
  35. # to mount files (eg an ISO file).  The $KNOWN_FILESYSTEMS variable may
  36. # be included to include common local filesystems as well as those listed in
  37. # /etc/filesystems and /proc/filesystems.
  38. # allowed_types_USERNAME, if present, is used to override allowed_types for
  39. # the specific user 'USERNAME'.  For example, to allow user 'jim' to mount
  40. # only vfat filesystems, add:
  41. # allowed_types_jim = vfat
  42. # Setting allowed_types = * does NOT allow all types, as this is a security
  43. # risk, but does allow all recognized types.
  44. # allowed_types = $KNOWN_FILESYSTEMS, file, cifs, smbfs, nfs, curlftpfs, ftpfs, sshfs, davfs, tmpfs, ramfs
  45. allowed_types = $KNOWN_FILESYSTEMS, file, cifs
  46. 

  47. 

  48. # allowed_users is a list of users permitted to mount and unmount with udevil.
  49. # Wildcards (* or ?) may be used in the usernames.  To allow all users,
  50. # specify "allowed_users=*".  UIDs may be included using the form UID=1000.
  51. # For example:  allowed_users = carl, UID=1000, pre*
  52. # Also note that permission to execute udevil may be limited to users belonging
  53. # to the group that owns /usr/bin/udevil, such as 'plugdev' or 'storage',
  54. # depending on installation.
  55. # allowed_users_FSTYPE, if present, is used to override allowed_users when
  56. # mounting or unmounting a specific fstype (eg nfs, ext3, file).
  57. # Note that when mounting a file, fstype will always be 'file' regardless of
  58. # the internal fstype of the file.
  59. # For example, to allow only user 'bob' to mount nfs shares, add:
  60. # allowed_users_nfs = bob
  61. # The root user is NOT automatically allowed to use udevil in some cases unless
  62. # listed here (except for unmounting anything or mounting fstab devices).
  63. allowed_users = *
  64. 

  65. 

  66. # allowed_groups is a list of groups permitted to mount and unmount with
  67. # udevil.  The user MUST belong to at least one of these groups.  Wildcards
  68. # or GIDs may NOT be used in group names, but a single * may be used to allow
  69. # all groups.
  70. # Also note that permission to execute udevil may be limited to users belonging
  71. # to the group that owns /usr/bin/udevil, such as 'plugdev' or 'storage',
  72. # depending on installation.
  73. # allowed_groups_FSTYPE, if present, is used to override allowed_groups when
  74. # mounting or unmounting a specific fstype (eg nfs, ext3, file).  For example,
  75. # to allow only members of the 'network' group to mount smb and nfs shares,
  76. # use both of these lines:
  77. # allowed_groups_smbfs = network
  78. # allowed_groups_nfs = network
  79. # The root user is NOT automatically allowed to use udevil in some cases unless
  80. # listed here (except for unmounting anything or mounting fstab devices).
  81. allowed_groups = *
  82. 

  83. 

  84. # allowed_media_dirs specifies the media directories in which user mount points
  85. # may be located.  The first directory which exists and does not contain a
  86. # wildcard will be used as the default media directory (normally /media or
  87. # /media/$USER).
  88. # The $USER variable, if included, will be replaced with the username of the
  89. # user running udevil.  Wildcards may also be used in any directory EXCEPT the
  90. # default.  Wildcards will not match a /, except a /** suffix for recursion.
  91. # allowed_media_dirs_FSTYPE, if present, is used to override allowed_media_dirs
  92. # when mounting or unmounting a specific fstype (eg ext2, nfs).  For example,
  93. # to cause /media/network to be used as the default media directory for
  94. # nfs and ftpfs mounts, use these two lines:
  95. # allowed_media_dirs_nfs   = /media/network, /media, /media/$USER
  96. # allowed_media_dirs_ftpfs = /media/network, /media, /media/$USER
  97. # NOTE: If you want only the user who mounted a device to have access to it
  98. # and be allowed to unmount it, specify /media/$USER as the first
  99. # allowed media directory (only /media/$USER is created on demand).
  100. # IMPORTANT:  If an allowed file is mounted to a media directory, the user may
  101. # be permitted to unmount its associated loop device even though internal.
  102. # INCLUDING /MNT HERE IS NOT RECOMMENDED.  ALL ALLOWED MEDIA DIRECTORIES
  103. # SHOULD BE OWNED AND WRITABLE ONLY BY ROOT.
  104. allowed_media_dirs = /media/$USER, /run/media/$USER
  105. 

  106. 

  107. # allowed_devices is the first criteria for what block devices users may mount
  108. # or unmount.  If a device is not listed in allowed_devices, it cannot be
  109. # un/mounted (unless in fstab).  However, even if a device is listed, other
  110. # factors may prevent its use.  For example, access to system internal devices
  111. # will be denied to normal users even if they are included in allowed_devices.  
  112. # allowed_devices_FSTYPE, if present, is used to override allowed_devices when
  113. # mounting or unmounting a specific fstype (eg ext3, ntfs).  For example, to
  114. # prevent all block devices containing an ext4 filesystem from being
  115. # un/mounted use:
  116. # allowed_devices_ext4 =
  117. # Note: Wildcards may be used, but a wildcard will never match a /, except
  118. # for "allowed_devices=*" which allows any device.  The recommended setting is
  119. # allowed_devices = /dev/*
  120. # WARNING:  ALLOWING USERS TO MOUNT DEVICES OUTSIDE OF /dev CAN CAUSE SERIOUS
  121. # SECURITY PROBLEMS.  DO NOT ALLOW DEVICES IN /dev/shm
  122. allowed_devices = /dev/*
  123. 

  124. 

  125. # allowed_internal_devices causes udevil to treat any listed block devices as
  126. # removable, thus allowing normal users to un/mount them (providing they are
  127. # also listed in allowed_devices).
  128. # allowed_internal_devices_FSTYPE, if present, is used to override
  129. # allowed_internal_devices when mounting or unmounting a specific fstype
  130. # (eg ext3, ntfs).  For example, to allow block devices containing a vfat
  131. # filesystem to be un/mounted even if they are system internal devices, use:
  132. # allowed_internal_devices_vfat = /dev/sdb*
  133. # Some removable esata drives look like internal drives to udevil.  To avoid
  134. # this problem, they can be treated as removable with this setting.
  135. # WARNING:  SETTING A SYSTEM DEVICE HERE CAN CAUSE SERIOUS SECURITY PROBLEMS.
  136. # allowed_internal_devices =
  137. 

  138. 

  139. # allowed_internal_uuids and allowed_internal_uuids_FSTYPE work similarly to
  140. # allowed_internal_devices, except that UUIDs are specified instead of devices.
  141. # For example, to allow un/mounting of an internal filesystem based on UUID:
  142. # allowed_internal_uuids = cc0c4489-8def-1e5b-a304-ab87c3cb626c0
  143. # WARNING:  SETTING A SYSTEM DEVICE HERE CAN CAUSE SERIOUS SECURITY PROBLEMS.
  144. # allowed_internal_uuids = 
  145. 

  146. 

  147. # forbidden_devices is used to prevent block devices from being un/mounted
  148. # even if other settings would allow them (except devices in fstab).
  149. # forbidden_devices_FSTYPE, if present, is used to override
  150. # forbidden_devices when mounting or unmounting a specific fstype
  151. # (eg ext3, ntfs).  For example, to prevent device /dev/sdd1 from being
  152. # mounted when it contains an ntfs filesystem, use:
  153. # forbidden_devices_ntfs = /dev/sdd1
  154. # NOTE: device node paths are canonicalized before being tested, so forbidding
  155. # a link to a device will have no effect.
  156. forbidden_devices =
  157. 

  158. 

  159. # allowed_networks determines what hosts may be un/mounted by udevil users when
  160. # using nfs, cifs, smbfs, curlftpfs, ftpfs, or sshfs.  Hosts may be specified
  161. # using a hostname (eg myserver.com) or IP address (192.168.1.100).
  162. # Wildcards may be used in hostnames and IP addresses, but CIDR notation 
  163. # (192.168.1.0/16) is NOT supported.  IP v6 is supported.  For example:
  164. # allowed_networks = 127.0.0.1, 192.168.1.*, 10.0.0.*, localmachine, *.okay.com
  165. # Or, to prevent un/mounting of any network shares, set:
  166. # allowed_networks =
  167. # allowed_networks_FSTYPE, if present, is used to override allowed_networks
  168. # when mounting or unmounting a specific network fstype (eg nfs, cifs, sshfs,
  169. # curlftpfs).  For example, to limit nfs and samba shares to only local
  170. # networks, use these two lines:
  171. # allowed_networks_nfs = 192.168.1.*, 10.0.0.*
  172. # allowed_networks_cifs = 192.168.1.*, 10.0.0.*
  173. allowed_networks = *
  174. 

  175. 

  176. # forbidden_networks and forbidden_networks_FSTYPE are used to specify networks
  177. # that are never allowed, even if other settings allow them (except fstab).
  178. # NO REVERSE LOOKUP IS PERFORMED, so including bad.com will only have an effect
  179. # if the user uses that hostname.  IP lookup is always performed, so forbidding
  180. # an IP address will also forbid all corresponding hostnames.
  181. forbidden_networks = 
  182. 

  183. 

  184. # allowed_files is used to determine what files in what directories may be
  185. # un/mounted.  A user must also have read permission on a file to mount it.
  186. # Note: Wildcards may be used, but a wildcard will never match a /, except
  187. # for "allowed_files=*" which allows any file, and a /** suffix, which matches
  188. # all files recursively.
  189. # For example, to allow only files in the /share directory to be mounted, use:
  190. # allowed_files = /share/*
  191. # To allow all files in the /share directory AND all subdirectories use:
  192. # allowed_files = /share/**
  193. # NOTE:  Specifying allowed_files_FSTYPE will NOT work because the fstype of
  194. # files is always 'file'.
  195. allowed_files = *
  196. 

  197. 

  198. # forbidden_files is used to specify files that are never allowed, even if
  199. # other settings allow them (except fstab).  Specify a full path.
  200. # Note: Wildcards may be used, but a wildcard will never match a /, except
  201. # for "forbidden_files = *", or a /** suffix, which matches all recursively.
  202. # NOTE: file paths are canonicalized before being tested, so forbidding
  203. # a link to a file will have no effect.
  204. forbidden_files = 
  205. 

  206. 

  207. # default_options specifies what options are always included when performing
  208. # a mount, in addition to any options the user may specify.
  209. # Note:  When a device is present in /etc/fstab, and the user does not specify
  210. # a mount point, the device is mounted with normal user permissions using
  211. # the fstab entry, without these options.
  212. # default_options_FSTYPE, if present, is used to override default_options
  213. # when mounting a specific fstype (eg ext2, nfs).
  214. # The variables $USER, $UID, and $GID are changed to the user's username, UID,
  215. # and GID.
  216. # FOR GOOD SECURITY, default_options SHOULD ALWAYS INCLUDE: nosuid,noexec,nodev
  217. # WARNING:  OPTIONS PRESENT OR MISSING CAN CAUSE SERIOUS SECURITY PROBLEMS.
  218. default_options           = nosuid, noexec, nodev, noatime
  219. default_options_file      = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID, ro
  220. # mount iso9660 with 'ro' to prevent mount read-only warning
  221. default_options_iso9660   = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID, ro, utf8
  222. default_options_udf       = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID
  223. default_options_vfat      = nosuid, noexec, nodev, noatime, fmask=0133, dmask=0022, uid=$UID, gid=$GID, utf8
  224. default_options_exfat     = nosuid, noexec, nodev, noatime, umask=0077, uid=$UID, gid=$GID, iocharset=utf8, namecase=0, nonempty
  225. default_options_msdos     = nosuid, noexec, nodev, noatime, fmask=0133, dmask=0022, uid=$UID, gid=$GID
  226. default_options_umsdos    = nosuid, noexec, nodev, noatime, fmask=0133, dmask=0022, uid=$UID, gid=$GID
  227. default_options_ntfs      = nosuid, noexec, nodev, noatime, fmask=0133, uid=$UID, gid=$GID, utf8
  228. default_options_cifs      = nosuid, noexec, nodev, uid=$UID, gid=$GID
  229. default_options_smbfs     = nosuid, noexec, nodev, uid=$UID, gid=$GID
  230. default_options_sshfs     = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID, nonempty, allow_other
  231. default_options_curlftpfs = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID, nonempty, allow_other
  232. default_options_ftpfs     = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID
  233. default_options_davfs     = nosuid, noexec, nodev, uid=$UID, gid=$GID
  234. default_options_tmpfs     = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID
  235. default_options_ramfs     = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID
  236. 

  237. 

  238. # allowed_options determines all options that a user may specify when mounting.
  239. # All the options used in default_options above must be included here too, or
  240. # they will be rejected.  If the user attempts to use an option not included
  241. # here, an error will result.  Wildcards may be used.
  242. # allowed_options_FSTYPE, if present, is used to override allowed_options
  243. # when mounting a specific fstype (eg ext2, nfs).
  244. # The variables $USER, $UID, and $GID are changed to the user's username, UID,
  245. # and GID.
  246. # If you want to forbid remounts, remove 'remount' from here.
  247. # WARNING:  OPTIONS HERE CAN CAUSE SERIOUS SECURITY PROBLEMS - CHOOSE CAREFULLY
  248. allowed_options           = nosuid, noexec, nodev, noatime, fmask=0133, dmask=0022, uid=$UID, gid=$GID, ro, rw, sync, flush, iocharset=*, utf8, remount
  249. allowed_options_nfs       = nosuid, noexec, nodev, noatime, ro, rw, sync, remount, port=*, rsize=*, wsize=*, hard, proto=*, timeo=*, retrans=*
  250. allowed_options_cifs      = nosuid, noexec, nodev, ro, rw, remount, port=*, user=*, username=*, pass=*, password=*, guest, domain=*, uid=$UID, gid=$GID, credentials=*
  251. allowed_options_smbfs     = nosuid, noexec, nodev, ro, rw, remount, port=*, user=*, username=*, pass=*, password=*, guest, domain=*, uid=$UID, gid=$GID, credentials=*
  252. allowed_options_sshfs     = nosuid, noexec, nodev, noatime, ro, rw, uid=$UID, gid=$GID, nonempty, allow_other, idmap=user, BatchMode=yes, port=*
  253. allowed_options_curlftpfs = nosuid, noexec, nodev, noatime, ro, rw, uid=$UID, gid=$GID, nonempty, allow_other, user=*
  254. allowed_options_ftpfs     = nosuid, noexec, nodev, noatime, ro, rw, port=*, user=*, pass=*, root=*, uid=$UID, gid=$GID
  255. allowed_options_exfat     = nosuid, noexec, nodev, noatime, fmask=0133, dmask=0022, uid=$UID, gid=$GID, umask=0077, namecase=*, ro, rw, sync, flush, iocharset=*, remount, nonempty
  256. 

  257. 

  258. # mount_point_mode, if present and set to a non-empty value, will cause udevil
  259. # to set the mode (permissions) on the moint point after mounting  If not
  260. # specified or if left empty, the mode is not changed.  Mode must be octal
  261. # starting with a zero (0755).
  262. # mount_point_mode_FSTYPE, if present, is used to override mount_point_mode
  263. # when mounting a specific fstype (eg ext2, nfs).
  264. # NOT SETTING A MODE CAN HAVE SECURITY IMPLICATIONS FOR SOME FSTYPES
  265. mount_point_mode = 0755
  266. # don't set a mode for some types:
  267. mount_point_mode_sshfs =
  268. mount_point_mode_curlftpfs =
  269. mount_point_mode_ftpfs =
  270. 

  271. 

  272. # Use the settings below to change the default locations of programs used by
  273. # udevil, or (advanced topic) to redirect commands to your scripts.
  274. # When substituting scripts, make sure they are root-owned and accept the
  275. # options used by udevil (for example, the mount_program must accept --fake,
  276. # -o, -v, and other options valid to mount.)
  277. # Be sure to specify the full path and include NO OPTIONS or other arguments.
  278. # These programs may also be specified as configure options when building
  279. # udevil.
  280. # THESE PROGRAMS ARE RUN AS ROOT
  281. # mount_program   = /bin/mount
  282. # umount_program  = /bin/umount
  283. # losetup_program = /sbin/losetup
  284. # setfacl_program = /usr/bin/setfacl
  285. 

  286. 

  287. # validate_exec specifies a program or script which provides additional
  288. # validation of a mount or unmount command, beyond the checks performed by
  289. # udevil.  The program is run as a normal user (if root runs udevil,
  290. # validate_exec will NOT be run).  The program is NOT run if the user is
  291. # mounting a device without root privileges (a device in fstab).
  292. # The program is passed the username, a printable description of what is
  293. # happening, and the entire udevil command line as the first three arguments.
  294. # The program must return an exit status of 0 to allow the mount or unmount
  295. # to proceed.  If it returns non-zero, the user will be denied permission.
  296. # For example, validate_exec might specify a script which notifies you
  297. # of the command being run, or performs additional steps to authenticate the
  298. # user.
  299. # Specify a full path to the program, with NO options or arguments.
  300. # validate_exec =
  301. 

  302. 

  303. # validate_rootexec works similarly to validate_exec, except that the program
  304. # is run as root.  validate_rootexec will also be run if the root user runs
  305. # udevil.  If both validate_exec and validate_rootexec are specified, 
  306. # validate_rootexec will run first, followed by validate_exec.
  307. # The program must return an exit status of 0 to allow the mount or unmount
  308. # to proceed.  If it returns non-zero, the user will be denied permission.
  309. # Unless you are familiar with writing root scripts, it is recommended that
  310. # rootexec settings NOT be used, as it is easy to inadvertently open exploits.
  311. # THIS PROGRAM IS ALWAYS RUN AS ROOT, even if the user running udevil is not.
  312. # validate_rootexec =
  313. 

  314. 

  315. # success_exec is run after a successful mount, remount, or unmount.  The 
  316. # program is run as a normal user (if root runs udevil, success_exec
  317. # will NOT be run).
  318. # The program is passed the username, a printable description of what action
  319. # was taken, and the entire udevil command line as the first three arguments.
  320. # The program's exit status is ignored.
  321. # For example, success_exec might run a script which informs you of what action
  322. # was taken, and might perform further actions.
  323. # Specify a full path to the program, with NO options or arguments.
  324. # success_exec =
  325. 

  326. 

  327. # success_rootexec works similarly to success_exec, except that the program is
  328. # run as root.  success_rootexec will also be run if the root user runs udevil.
  329. # If both success_exec and success_rootexec are specified,  success_rootexec
  330. # will run first, followed by success_exec.
  331. # Unless you are familiar with writing root scripts, it is recommended that
  332. # rootexec settings NOT be used, as it is easy to inadvertently open exploits.
  333. # THIS PROGRAM IS ALWAYS RUN AS ROOT, even if the user running udevil is not.
  334. # success_rootexec =
  335.