- $ mount /pendrive
- And don't have to be root but will get full permissions on /pendrive.
- This works even without udev if /udev/pendrive is replaced by /dev/sda1
+ $mount /media/PENDRIVE
+ and doen't have to be root, but will get full permissions on the device.
+ Using the persistent disk links (label, uuid) will always catch the
+ same device regardless of the actual kernel name.
+
+Q: Are there any security issues that I should be aware of?
+A: When using dynamic device numbers, a given pair of major/minor numbers may
+ point to different hardware over time. If a user has permission to access a
+ specific device node directly and is able to create hard links to this node,
+ he or she can do so to create a copy of the device node. When the device is
+ unplugged and udev removes the device node, the user's copy remains.
+ If the device node is later recreated with different permissions the hard
+ link can still be used to access the device using the old permissions.
+ (The same problem exists when using PAM to change permissions on login.)
+
+ The simplest solution is to prevent the creation of hard links by putting
+ /dev in a separate filesystem like tmpfs.