Re: user can't mount loop device...

[Goswin Brederlow <goswin.brederlow@student.uni-tuebingen.de>]

>>>>> " " == Daniel Jacobowitz <dan@debian.org> writes:

     > What no one has mentioned is that users absolutely MUST NOT be
     > allowed to run losetup (or mount, which would also be

If losetup is setuid you could do the following (untested):

losetup /dev/loop/0 /etc/shaddow

and then

dd if=/dev/loop/0 of=passwd

Nice. :)

     > necessary).  It's a file image.  It can, for instance, contain
     > suid binaries, not owned by the user.  That's easy to make -
     > see debugfs.

     > If you really want to, you could add fstab entries marked
     > 'user,nosuid,nodev' at the least, and provide a wrapper for
     > losetup.  As a whole this is a very bad idea, since access to a
     > raw filesystem device often allows for all sorts of system
     > corruption.

You need an entry anyway and the problem is the same for floppies or
zip or any other removable medium with an ext2 filesystem on it.

>From man mount:
              user   Allow an ordinary user  to  mount  the  file
                     system.   This  option  implies  the options
                     noexec, nosuid, and nodev (unless overridden
                     by subsequent options, as in the option line
                     user,exec,dev,suid).

So user or users is enough. You might want to allow executables
though.

MfG
        Goswin