[Wylug-discuss] How to allow users resticted mount/unmounts
Gary Stainburn
gary.stainburn at ringways.co.uk
Tue Jan 6 17:45:36 GMT 2004
On Tuesday 06 Jan 2004 4:21 pm, Graham Whaley wrote:
> Hiya.
>
> I'm having a 'security' issue here on our server, and cannot concoct a
> nice solution at the moment. Any ideas much appreciated....
>
>
> We do various amounts of embedded linux development. This requires users
> to build a kernel and filesystem on our servers, and then download them
> onto a target board to run/debug etc.
>
> The problem comes in building the filesystem to be tested. To place
> files into a filesystem you have to mount it, and to mount it you have to
> be root. Obviously, I don't want to give root access on our servers to all
> of our developers - just cannot trust them you know :-)
>
> My ideal solution is to allow any user to mount a file (with a loopback
> device), place files into that mounted system, and then unmount it, without
> ever gaining any root priveledge. Can this be done?? Oh, I guess the same
> situation applies to unmount as well.
>
> I have been looking at sudo, but it seems to be either too restrictive or
> not restrictive enough. That is, I can let users run mount/unmount with
> any arguments, or with a fixed set of arguments.
>
> Any ideas?
>
> My final solution is looking like a sudo of
>
> 'mount ./filesystem.img ./mnt -o loop,user'
> and
> 'umount ./filesystem.img'
>
>
> The downside of this is that the user has to use the filenames specified,
> and they could go and mount other peoples filesystems and edit them if they
> (maliciously) wanted to.
My /etc/fstab has:
/dev/sda /mnt/usb vfat user,owner 0 0
In this case, it allows any user to insert a USB memory stick and then mount
/mnt/usb. Once mounted, it and everything within it belongs to the user who
called the mount.
There should be nothing to stop you doing something similar using a loopback
device and a file->filesystem.
In my case, I copied the CDROM icon file within the Desktop folder, creating
USB and edited it so that it would automatically mount and browse the folder
when clicked - right-click->umount also works.
>
>
> Ta,
>
> Graham
> ******************
> This e-mail has been sent from Imagination Technologies Limited.
> PowerVR, Metagence, Ensigma and PURE Digital are divisions
> of Imagination Technologies Limited.
>
> The information contained in this e-mail, including any attachment,
> is confidential and may be legally privileged. It is intended solely
> for the addressee(s) and access to this e-mail by anyone else is
> unauthorised. If you are not the intended recipient, any disclosure,
> copying or distribution or use of the information contained in this
> e-mail, is prohibited and may be unlawful. If you have received this
> e-mail in error, please notify the sender by return e-mail and then
> delete it from your system.
>
> Internet communications cannot be guaranteed to be secure,
> error or virus-free. The sender does not accept liability for any errors
> or omissions which arise as a result.
>
> Any views expressed in this message are those of the author, except
> where the author specifies and, with authority, states them to be the
> views of Imagination Technologies Ltd.
>
>
> _______________________________________________
> Wylug-discuss mailing list
> Wylug-discuss at wylug.org.uk
> http://list.wylug.org.uk/mailman/listinfo/wylug-discuss
--
Gary Stainburn
This email does not contain private or confidential material as it
may be snooped on by interested government parties for unknown
and undisclosed purposes - Regulation of Investigatory Powers Act, 2000
More information about the Wylug-discuss
mailing list