[Wylug-discuss] How to allow users resticted mount/unmounts

Tue Jan 6 16:21:31 GMT 2004

Hiya.

  I'm having a 'security' issue here on our server, and cannot concoct a
nice solution at the moment.  Any ideas much appreciated....

  We do various amounts of embedded linux development.  This requires users
to build a kernel and filesystem on our servers, and then download them onto
a target board to run/debug etc.

  The problem comes in building the filesystem to be tested.  To place files
into a filesystem you have to mount it, and to mount it you have to be root.
Obviously, I don't want to give root access on our servers to all of our
developers - just cannot trust them you know :-)

  My ideal solution is to allow any user to mount a file (with a loopback
device), place files into that mounted system, and then unmount it, without
ever gaining any root priveledge.  Can this be done??  Oh, I guess the same
situation applies to unmount as well.

  I have been looking at sudo, but it seems to be either too restrictive or
not restrictive enough.  That is, I can let users run mount/unmount with any
arguments, or with a fixed set of arguments.

  Any ideas?

  My final solution is looking like a sudo of

 'mount ./filesystem.img ./mnt -o loop,user'
and
 'umount ./filesystem.img'

  The downside of this is that the user has to use the filenames specified,
and they could go and mount other peoples filesystems and edit them if they
(maliciously) wanted to.

	Ta,

		Graham
******************
This e-mail has been sent from Imagination Technologies Limited.
PowerVR, Metagence, Ensigma and PURE Digital are divisions
of Imagination Technologies Limited.

The information contained in this e-mail, including any attachment,
is confidential and may be legally privileged.  It is intended solely
for the addressee(s) and access to this e-mail by anyone else is
unauthorised.  If you are not the intended recipient, any disclosure,
copying or distribution or use of the information contained in this
e-mail, is prohibited and may be unlawful. If you have received this
e-mail in error, please notify the sender by return e-mail and then
delete it from your system.

Internet communications cannot be guaranteed to be secure,
error or virus-free.  The sender does not accept liability for any errors
or omissions which arise as a result.

Any views expressed in this message are those of the author, except
where the author specifies and, with authority, states them to be the
views of Imagination Technologies Ltd.