Re: user can't mount loop device...
On Fri, Jan 19, 2001 at 04:48:01PM +0000, Dale Scheetz wrote:
> I've run into a security bottleneck that interferes with desired use of
> unprivilaged user diskspace.
>
> I want User to be able to mount a file image, owned by User, on a mount
> point, also owned by User, but most of the tools aren't available to User.
>
> I suppose I can assign User to the group with read/write permission to
> /dev/loopN which should give User access to all three elements of the
> mount.
>
> The stopper is that neither losetup, nor mke2fs are executable by User.
> Can I pull the same group permission "magic" as described for the loop
> device, and make them setgid, to gain access by User?
>
> I'm a bit confused as to why losetup and mke2fs can't be used by User if
> User has read/write permission to the components being utilized. Why may
> only root execute them?
As other people have pointed out, users can use mke2fs.
What no one has mentioned is that users absolutely MUST NOT be allowed
to run losetup (or mount, which would also be necessary). It's a file
image. It can, for instance, contain suid binaries, not owned by the
user. That's easy to make - see debugfs.
If you really want to, you could add fstab entries marked
'user,nosuid,nodev' at the least, and provide a wrapper for losetup.
As a whole this is a very bad idea, since access to a raw filesystem
device often allows for all sorts of system corruption.
Dan
/--------------------------------\ /--------------------------------\
| Daniel Jacobowitz |__| SCS Class of 2002 |
| Debian GNU/Linux Developer __ Carnegie Mellon University |
| dan@debian.org | | dmj+@andrew.cmu.edu |
\--------------------------------/ \--------------------------------/
Reply to: