Re: user can't mount loop device...

[kleptog@cupid.suninternet.com (Martijn van Oosterhout)]

On Sat, Jan 20, 2001 at 08:23:27PM +0100, Tollef Fog Heen wrote:
> * Goswin Brederlow 
> 
> | >From man mount:
> |               user   Allow an ordinary user  to  mount  the  file
> |                      system.   This  option  implies  the options
> |                      noexec, nosuid, and nodev (unless overridden
> |                      by subsequent options, as in the option line
> |                      user,exec,dev,suid).
> | 
> | So user or users is enough. You might want to allow executables
> | though.
> 
> noexec is very weak on linux anyhow:
> 
> $ ~/bin/hello 
> bash: /home/tfheen/bin/hello: Permission denied
> $/lib/ld-linux.so.2 ~/bin/hello 
> Hello, world!
> $mount | grep home
> /dev/ide/host0/bus0/target0/lun0/part3 on /home type ext2 (rw,noexec)
> $

They could always just copy the binary to their home directory and run it
from there. The important point is that if the original had any special
attributes (setuid, setgid, capabilities, etc) these are not passed on since
they are lost in the copy and the loader does not handle them.

It does protect a system from unsafe filesystems on swappable media. That's all
it was supposed to do.

Martijn