[Wylug-discuss] How to allow users resticted mount/unmounts

Tue Jan 6 17:45:36 GMT 2004

On Tuesday 06 Jan 2004 4:21 pm, Graham Whaley wrote:
> Hiya.
>
>   I'm having a 'security' issue here on our server, and cannot concoct a
> nice solution at the moment.  Any ideas much appreciated....
>
>
>   We do various amounts of embedded linux development.  This requires users
> to build a kernel and filesystem on our servers, and then download them
> onto a target board to run/debug etc.
>
>   The problem comes in building the filesystem to be tested.  To place
> files into a filesystem you have to mount it, and to mount it you have to
> be root. Obviously, I don't want to give root access on our servers to all
> of our developers - just cannot trust them you know :-)
>
>   My ideal solution is to allow any user to mount a file (with a loopback
> device), place files into that mounted system, and then unmount it, without
> ever gaining any root priveledge.  Can this be done??  Oh, I guess the same
> situation applies to unmount as well.
>
>   I have been looking at sudo, but it seems to be either too restrictive or
> not restrictive enough.  That is, I can let users run mount/unmount with
> any arguments, or with a fixed set of arguments.
>
>   Any ideas?
>
>   My final solution is looking like a sudo of
>
>  'mount ./filesystem.img ./mnt -o loop,user'
> and
>  'umount ./filesystem.img'
>
>
>   The downside of this is that the user has to use the filenames specified,
> and they could go and mount other peoples filesystems and edit them if they
> (maliciously) wanted to.

My /etc/fstab has:

/dev/sda                /mnt/usb                vfat    user,owner      0 0

In this case, it allows any user to insert a USB memory stick and then mount
/mnt/usb.  Once mounted, it and everything within it belongs to the user who
called the mount.

There should be nothing to stop you doing something similar using a loopback
device and a file->filesystem.

In my case, I copied the CDROM icon file within the Desktop folder, creating
USB and edited it so that it would automatically mount and browse the folder
when clicked - right-click->umount also works.

>
>
> 	Ta,
>
> 		Graham
> ******************
> This e-mail has been sent from Imagination Technologies Limited.
> PowerVR, Metagence, Ensigma and PURE Digital are divisions
> of Imagination Technologies Limited.
>
> The information contained in this e-mail, including any attachment,
> is confidential and may be legally privileged.  It is intended solely
> for the addressee(s) and access to this e-mail by anyone else is
> unauthorised.  If you are not the intended recipient, any disclosure,
> copying or distribution or use of the information contained in this
> e-mail, is prohibited and may be unlawful. If you have received this
> e-mail in error, please notify the sender by return e-mail and then
> delete it from your system.
>
> Internet communications cannot be guaranteed to be secure,
> error or virus-free.  The sender does not accept liability for any errors
> or omissions which arise as a result.
>
> Any views expressed in this message are those of the author, except
> where the author specifies and, with authority, states them to be the
> views of Imagination Technologies Ltd.
>
>
> _______________________________________________
> Wylug-discuss mailing list
> Wylug-discuss at wylug.org.uk
> http://list.wylug.org.uk/mailman/listinfo/wylug-discuss

--
Gary Stainburn

This email does not contain private or confidential material as it
may be snooped on by interested government parties for unknown
and undisclosed purposes - Regulation of Investigatory Powers Act, 2000