I'm testing ivman-0.6.5 and I've noticed that using usb drives (using FAT32) with the default config is, well duh, a royal pain in the ass. Problem 1) umask is 022. Since the owner is ivman:plugdev, nobody but root can access it in write mode. Plus, anyone with (maybe even **remote**) file system access can read it. Solution: umask should be, IMHO, 007 (you can set it from /etc/ivman/IvmanConfigBase.xml). This means that all users in group "plugdev" can work on it. It would really make sense. Problem 2) only root can umount it (and you _have_ to manually umount it or you'll end up with a corrupted fs). $ pumount usbdisk Error: device /dev/sda1 was not mounted by you Expected behaviour: all users in the "plugdev" group should be able to umount it. Solution: I don't know how to do that :( Workaround: add "/usr/bin/pumount usbdisk" to /etc/sudoers
Rohan, can you please take care of the default config changes? Any idea for problem #2?
I'd like to stress the importance of the "world" permissions of the umask: imagine, for example, a home computer running a test apache/php server with an application that allows attackers to run arbitrary code with apache privileges (that is a typical mistake with apps that allow users to upload files on the server, but don't check for file extensions -- so that the attacker only has to upload a .php file). Such a situation is bad as itself, but at least the attacker won't be able to read /home directories. However, with umask 022 he will be able to read the contents of any USB drives that are inserted, and USB drives often contain highly sensible personal data (personal docs, GPG private keys, pam-usb keys, etc. etc.)
Problem #2: this is a known caveat of running Ivman from root account. I guess the ideal solution would be to supply pmount with a commandline option, like '--group-umount', which allows anyone in the plugdev group to umount, as opposed to simply the user who mounted. For now, try running Ivman from your regular user account instead, e.g. with your X/Gnome/KDE session, as 'man ivman' suggests. Then the pmount command will be run from Ivman under your account, and so you will be able to unmount with pumount. Problem #1: heck, I don't know what I was thinking there :-) 022 is an especially silly umask. Ivman 0.6.6 will be out very soon, and I'll change it to 007 in that. I still recommend you to let Ivman running under your user account do the mounting, though. This should probably be made more clear in some docs somewhere.
Ivman 0.6.6 is out now, and in portage. It changes the default umask to 007. Also, I wrote a patch to implement a pmount feature as discussed in comment #3, and sent it to the developer of pmount; now waiting to see if he likes it or not :-)
The default config has changed in 0.6.6, FIXED
