Why does OS X require admin privileges to unmount a drive from the terminal using `umount` but not when using Finder?
Anyone can unmount a usb drive from Finder by clicking on the "eject" icon next to it. However, only a user with administrative privileges can unmount a drive from the terminal using umount
.
Are umount
and "eject" different in some way that requires more security for umount
from the terminal?
Note I am running OS X 10.8.2
umount
is a UNIX command that adheres to the traditional UNIX perspective that unmounting a filesystem is a system administration task.
The rationale behind is that unmounting a filesystem, if poorly planned or executed, could be disruptive, even destructive, especially on a multiuser system. So regular users are protected from this potentially dangerous command and only root or a privileged user is allowed to execute it.
This makes a lot of sense when UNIX is used as a server operating system, but a UNIX-based desktop OS (for example, OS X or Ubuntu) has other needs: any user should be able to unmount flash drives, removable harddrives, etc.
The Finder and diskutil
(see man diskutil for more information) work this way. For example, I can open Terminal and successfully run:
$ diskutil unmount /Volumes/Untitled
Volume Untitled on disk2s2 unmounted
whereas umount
fails:
$ umount /Volumes/Untitled
umount: unmount(/Volumes/Untitled): Operation not permitted
What is the Finder or diskutil
doing differently? Behind the scenes, they send a request to a daemon called com.apple.SecurityServer (see man page for more information), which grants the right to unmount the filesystem:
$ tail -f /var/log/system.log
Feb 6 16:57:37 avallone.local com.apple.SecurityServer[17]: Succeeded authorizing right 'system.volume.removable.unmount' by client '/System/Library/CoreServices/Finder.app' [171] for authorization created by '/System/Library/CoreServices/Finder.app' [171] (100013,0)
Feb 6 16:57:37 avallone.local com.apple.SecurityServer[17]: Succeeded authorizing right 'system.volume.removable.unmount' by client '/usr/sbin/diskarbitrationd' [18] for authorization created by '/System/Library/CoreServices/Finder.app' [171] (100002,0)
Feb 6 17:01:46 avallone.local com.apple.SecurityServer[17]: Succeeded authorizing right 'system.volume.removable.unmount' by client '/usr/sbin/diskutil' [646] for authorization created by '/usr/sbin/diskutil' [646] (100013,0)
Feb 6 17:01:46 avallone.local com.apple.SecurityServer[17]: Succeeded authorizing right 'system.volume.removable.unmount' by client '/usr/sbin/diskarbitrationd' [18] for authorization created by '/usr/sbin/diskutil' [646] (100002,0)
This allows any user to unmount a drive without requiring additional authentication. (Ubuntu has a similar philosophy. If you are interested, take a look at this answer on AskUbuntu.)
To support the behavior explained above the Finder and diskutil
use several Apple frameworks:
$ otool -L $(which diskutil) | grep Disk
/System/Library/PrivateFrameworks/DiskManagement.framework/Versions/A/DiskManagement (compatibility version 1.0.0, current version 1.0.0)
/System/Library/Frameworks/DiskArbitration.framework/Versions/A/DiskArbitration (compatibility version 1.0.0, current version 1.0.0)
$ otool -L /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder | grep Disk
/System/Library/Frameworks/DiskArbitration.framework/Versions/A/DiskArbitration (compatibility version 1.0.0, current version 1.0.0)
/System/Library/PrivateFrameworks/DiskImages.framework/Versions/A/DiskImages (compatibility version 1.0.8, current version 344.0.0)
/System/Library/PrivateFrameworks/DiskManagement.framework/Versions/A/DiskManagement (compatibility version 1.0.0, current version 1.0.0)
umount
, on the other side, is only linked to this dynamic library:
$ otool -L $(which umount)
/sbin/umount:
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 169.3.0)
(/usr/lib/libSystem.B.dylib
uses several other libraries, but isn't linked to any framework.)