[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: trying to mount a micro USB disk as a regular user on a Linux laptop on which I don't have admin rights ...

On 2020-05-14 at 06:43, Albretch Mueller wrote:

> On 5/12/20, Eric S Fraga <e.fraga@ucl.ac.uk> wrote:
> 
>> If pmount is installed/available, 'pmount sdc1' will mount the disk
>> onto /media/sdc1.
> 
> I don't think pmount is installed, but I will check anyway. My 
> options seems hopeless.
> 
> I can't even understand why they would mount a drive as root. Isn't 
> that more problematic from a security point of view?

Depends on what you consider the alternative to be.

To start out with, in order to mount a drive at all, you have to have
sufficient permissions on the device node which represents the disk. If
an ordinary user had those permissions, then that user could read the
contents of the disk without mounting it (thereby bypassing file-level
security on any files on that disk), and/or write directly to the disk
(thereby trashing the disk contents, or - with additional sophistication
- replacing them with other, potentially malicious, data).

Beyond that, since a mount can be done to any directory path, consider
the security implications if a random user could mount an arbitrary
device (or file) over, say, /etc or /usr or ~/.config/ or some other
important path. Even if done by accident with a harmless filesystem,
something like that could be catastrophic, or at least lead to denial of
service because of missing critical files; if done intentionally with a
malicious filesystem, you could see sensitive data getting written to
the mounted device and thereby leaked, or externally-supplied malicious
programs getting run as privileged users.

Requiring that a given mount-path/device-node pair be listed in
/etc/fstab before a non-root user can explicitly mount it avoids both of
those problems, at the cost of limiting the mount flexibility of
everyone who can't write to that file.

Various other tools (including pmount and udisks) have since been
created to mitigate that limitation. and for good reason, but some
people still prefer to stick with the /etc/fstab listing as a
mount-security design.

(Note that I'm partly extrapolating from observation, rather than
speaking from certain knowledge, but I'm mostly confident that this is
an accurate description.)

-- 
   The Wanderer

The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore all
progress depends on the unreasonable man.         -- George Bernard Shaw

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: