Hi Jaromil!

Jaromil wrote on 29/07/2015 at 19:44 CEST:
> [...]
> how I do it now? hardcode every single binary
> that sudo is aloud to execute, full path
> and locations that are only root writable.
> that's a sudoers feature...

This is how I personally see it: In an ideal environment,
there were *no* things done during regular use of a personal
computing device that required administrative permissions.

Inversion of argument: The more operations occurring during
regular operation of a system require administrative rights,
the more flawed the system is, be it, because it has a
wrong concept of what "administrative" is or because it fails
to secure its operation properly, and thus, to gain plausible
deniability, confronts the user with "this is dangerous, enter
a superuser password, abandon all hope" in trivial usage
scenarios (see also note [1] for an example).

Having said that, I agree that attaching ephemeral, untrusted
storage media into the filesystem hierarchy is a security-
critical operation. Doing so must be performed as consciously
as possible, security implications must have been considered
and precautions must have been taken.

In the light of this, isn't it preferable to have this system
behavior of "automounting" performed by a dedicated service
that manifests itself as an unmistakably perceivable process
instead of burying it in some cryptic XML or Javascript
configuration of a policy management subsystem?
And, you may disagree, but sudo to me is "a rootshell where
every commandline is prefixed with the string 'sudo '".
Is that a better solution?

Kind regards,
T.

Note [1]: Example: Installing new software via "packages"
requires superuser permissions, because all those packages are
entangled into one big bulk of a system called the
"distribution", and messing with what's installed voids the
warranty. ;-)