| gabriel rosenkoetter on 16 Nov 2006 23:10:25 -0000 |
|
On Thu, Nov 16, 2006 at 05:24:07PM -0500, Jeff Abrahamson wrote: > I'd like to be able to mount filesystem images from an already mounted > filesystem without having to authorize myself specially. I don't > think this is possible, but I'm curious (1) if I'm wrong and it is > possible, and (2) what the security concerns of this would be as long > as mount restricted me to mounting files I own on mount-points I own > and didn't permit files in the newly mounted fs to have permissions or > ownership that I couldn't otherwise give them. 1. I think the Traditional way to grant that pseudo-super-user privilege is through a group. Lots of the world uses the operator group for this. It may be looking at what Mac OS X / Darwin's hdiutil does for this, though: you can do that as a regular user. (I think?) 2. Security concerns revolve mostly around a privileged user later trusting the contents of the image (so, as the sysadmin, "don't do that", or maybe only let things be mounted read-only; and that's fine for union/tmpfs/whatever mounts, because the underlying data doesn't get changed) and around permitting suid and device files in the mounted image (which you can prevent in the fstab line, if you go with letting a group mount certain things in certain places, either by way of a pretty complicated fstab line of through sudo(8) or similar). I guess I had the impression that the Linux FS layer already had ways to let regular users do union and tmpfs mounts, but I haven't ever actually done it... was I wrong? Would that be enough, or do you need changes to be persistant after umount(8)? -- gabriel rosenkoetter gr@eclipsed.net Attachment:
pgpy3A6yHcva4.pgp ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|