How to access mounted file systems as a guest user?
In Ubuntu 11.04 I could mount a file system in /media/foo and run chown guest:guest /media/foo/bar -R
and have full access in the guest account. After the upgrade to 12.04 I changed my routine to reflect the new guest usernames (chown guest[id]:guest[id] /media/foo/bar -R
) but I still can't access it as a guest user, as I don't have access privileges to /media as guest:
ls: cannot open directory /media: Permission denied
(Very interestingly this does work if I su
into the guest account as root). I understand this is meant as a security measure but I don't see how it is done. ls -l /
reports
drwxr-xr-x 11 root root 4096 Sep 9 22:28 media
Thus my two questions: How does this restriction work and how can I access a mounted file system as a guest user, ideally without allowing access to all of the other mounted file systems?
Access to /media
is restricted by the AppArmor profile /etc/apparmor.d/lightdm-guest-session
. There are two exceptions (lines 31 and 32):
owner /media/ r,
owner /media/** rmwlixk, # we want access to USB sticks and the like
That allows access if /media/foo
is owned by guest[id], which is the first alternative to solve my problem. The downside is that the guest account can create arbitrary directories and files in the root of /media/foo. I decided to explicitly poke a hole for /media/foo/bar
and added the lines:
owner /media/foo/bar rw,
A description of the syntax can be found here: http://doc.opensuse.org/documentation/html/openSUSE/opensuse-security/cha.apparmor.profiles.html
To the best of my knowledge this only allows the guest session to access /media/foo/bar
and only if guest[id] is the owner of bar
. Note that guest[id] still cannot access /media/foo
itself. Thus ls /media/foo
will fail, but ls /media/foo/bar
works.
Lastly reload the profile for the changes to take effect:
sudo apparmor_parser -r /etc/apparmor.d/lightdm-guest-session