Mounting of removable media - security problem ?
Hello all!
Last time I discovered, that when I added "user" option in /etc/fstab for
floppies and zips, it is possible for everybody having account on my box
to read, write and delete files on my removable disk (floppy or zip).
When one user (lets call him "A") mounts the floppy, he becomes the owner
of its filesystem, but if he does not use it temporarily, another user
("B") can unmount it, and then mount again. In this way user "B" may get
full access to someone's else disk! =:-<
I would like to configure my system in that way, that only user working
on the virtual console may mount and unmount removeable media. (I think it
is the best solution, because he must anyway access the computer to insert
the disk).
However I didn't see any appropriate options in the documentation of
"mount" or "fstab".
Now I'm thinking about writing a special root-suided application, which
will check if the user which is executing it has logged in from the
virtual console, then will mount the removable disk, and pass its
ownership to the user...
Is it really the only solution of above problem?
Last time I've read the discussion about "sticky bit". Does setting of
this bit for mount point may help? If I understood this discussion,
setting of this bit should block the posibility of unmounting and remounting
of someone else's filesystem.
But anyway it does not eliminate the problem completely.
I can imagine such paranoic situation, that someone runs in the
background a script, which is trying every second to mount the floppy or
zip. In this case he will become the owner of this disk before the man who
inserted it will be able to mount it.
So the only acceptable solution is to require that mounting of
removable media is allowed only for users working on the virtual console
(and root of course!!!).
Thanks in advance
Please answer preferrably by e-mail
to: wzab@ipe.pw.edu.pl
Wojtek Zabolotny
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: