* RFC: usermount - a secure mount for unpriviledged users
@ 2015-11-18 17:17 U.Mutlu
2015-11-18 18:24 ` Mantas Mikulėnas
2015-11-19 11:05 ` RFC: usermount - a secure mount for unpriviledged users Karel Zak
0 siblings, 2 replies; 11+ messages in thread
From: U.Mutlu @ 2015-11-18 17:17 UTC (permalink / raw)
To: util-linux
Currently no responsible admin can grant permission to the mount pgm
to his users, because of the dangers inherent with bind-mounting etc.
I suggest there should be an additional mount program destined for
unpriviledged users (to be used via sudo).
It should be a stripped down version of the mount pgm, with only some
basic options for mounting, but without the dangerous options like bind-mount.
The new program should of course have a different name, for example "usermount".
I think this is the most clean solution to this problem.
Users are intessted in mounting their own filesystems into
their own mountpoints, ie. they don't neccesserily need fstab or mtab etc.:
$ mkdir mymnt1 mymnt2
$ sudo usermount myfs.img ./mymnt1
$ sudo usermount my.iso ./mymnt2
I think the current author(s)/maintainer(s) of the mount pgm (Karel?)
should make and add such a stripped down usermount pgm to util-linux,
since they know mount the best.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: RFC: usermount - a secure mount for unpriviledged users
2015-11-18 17:17 RFC: usermount - a secure mount for unpriviledged users U.Mutlu
@ 2015-11-18 18:24 ` Mantas Mikulėnas
2015-11-19 0:53 ` mount-user.c U.Mutlu
2015-11-19 1:08 ` RFC: usermount - a secure mount for unpriviledged users Casper Ti. Vector
2015-11-19 11:05 ` RFC: usermount - a secure mount for unpriviledged users Karel Zak
1 sibling, 2 replies; 11+ messages in thread
From: Mantas Mikulėnas @ 2015-11-18 18:24 UTC (permalink / raw)
To: util-linux
On 2015-11-18 19:17, U.Mutlu wrote:
> Currently no responsible admin can grant permission to the mount pgm
> to his users, because of the dangers inherent with bind-mounting etc.
>
> I suggest there should be an additional mount program destined for
> unpriviledged users (to be used via sudo).
>
> It should be a stripped down version of the mount pgm, with only some
> basic options for mounting, but without the dangerous options like
> bind-mount.
>
> The new program should of course have a different name, for example
> "usermount".
>
> I think this is the most clean solution to this problem.
>
> Users are intessted in mounting their own filesystems into
> their own mountpoints, ie. they don't neccesserily need fstab or mtab etc.:
> $ mkdir mymnt1 mymnt2
> $ sudo usermount myfs.img ./mymnt1
> $ sudo usermount my.iso ./mymnt2
fwiw, udisks2 already lets you mount removable drives and loop devices
under (/run)/media:
$ udisksctl mount -b /dev/sdb4
$ udisksctl loop-setup -f ~/foo.img
--
Mantas Mikulėnas <grawity@gmail.com>
^ permalink raw reply [flat|nested] 11+ messages in thread
* mount-user.c
2015-11-18 18:24 ` Mantas Mikulėnas
@ 2015-11-19 0:53 ` U.Mutlu
2015-12-03 20:06 ` mount-user.c Michael Conrad
2015-11-19 1:08 ` RFC: usermount - a secure mount for unpriviledged users Casper Ti. Vector
1 sibling, 1 reply; 11+ messages in thread
From: U.Mutlu @ 2015-11-19 0:53 UTC (permalink / raw)
To: util-linux
Mantas Mikulėnas wrote on 11/18/2015 07:24 PM:
> On 2015-11-18 19:17, U.Mutlu wrote:
>> Currently no responsible admin can grant permission to the mount pgm
>> to his users, because of the dangers inherent with bind-mounting etc.
>>
>> I suggest there should be an additional mount program destined for
>> unpriviledged users (to be used via sudo).
>>
>> It should be a stripped down version of the mount pgm, with only some
>> basic options for mounting, but without the dangerous options like
>> bind-mount.
>>
>> The new program should of course have a different name, for example
>> "usermount".
>>
>> I think this is the most clean solution to this problem.
>>
>> Users are intessted in mounting their own filesystems into
>> their own mountpoints, ie. they don't neccesserily need fstab or mtab etc.:
>> $ mkdir mymnt1 mymnt2
>> $ sudo usermount myfs.img ./mymnt1
>> $ sudo usermount my.iso ./mymnt2
>
> fwiw, udisks2 already lets you mount removable drives and loop devices
> under (/run)/media:
>
> $ udisksctl mount -b /dev/sdb4
>
> $ udisksctl loop-setup -f ~/foo.img
Thanks, I'll check it out.
In the meantime I wrote the following q&d wrapper around mount.
I think this should be safe:
/*
mount-user.c
A wrapper to the mount pgm filtering dangerous options like bind-mounting.
Accepts all valid mount options and passes them to mount, except these:
-B --bind
-o bind
Compile:
$ gcc -Wall -O2 mount-user.c -o mount-user
Install:
# cp -p mount-user /usr/local/bin
# chown root:root /usr/local/bin/mount-user
# chmod 755 /usr/local/bin/mount-user
#
# and add it to /etc/sudoers, so that permitted users can use it like so:
$ sudo mount-user myfs.img mymntpoint
Advanced usage:
Use unshare-user (another useful user util by this author) prior
to make the user mounts hidden from the rest of the system.
History:
2015-11-18-We: v0.1b U.Mutlu: Init
*/
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define NELEMS(arr) (sizeof(arr) / sizeof(arr[0]))
#define errExit(msg) do { perror(msg); exit(EXIT_FAILURE); } while (0)
int main(int argc, char* argv[])
{
char* aszIllegalOpts[] = { "-B", "--bind", "bind" };
int i, j;
for (i = 1; i < argc; ++i)
for (j = 0; j < NELEMS(aszIllegalOpts); ++j)
if (strstr(argv[i], aszIllegalOpts[j]))
{
printf("mount-user: error: illegal mount option '%s' given\n",
aszIllegalOpts[j]);
return 1;
}
argv[0] = "mount";
execvp(argv[0], &argv[0]);
errExit("mount-user");
}
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: RFC: usermount - a secure mount for unpriviledged users
2015-11-18 18:24 ` Mantas Mikulėnas
2015-11-19 0:53 ` mount-user.c U.Mutlu
@ 2015-11-19 1:08 ` Casper Ti. Vector
2015-11-19 1:53 ` udevil - mount tool U.Mutlu
1 sibling, 1 reply; 11+ messages in thread
From: Casper Ti. Vector @ 2015-11-19 1:08 UTC (permalink / raw)
To: util-linux
Also udevil, which might be of particular interest if you happen to
pursue a system with light dependencies:
<https://ignorantguru.github.io/udevil/>.
On Wed, Nov 18, 2015 at 08:24:19PM +0200, Mantas Mikulėnas wrote:
> fwiw, udisks2 already lets you mount removable drives and loop devices
> under (/run)/media:
>
> $ udisksctl mount -b /dev/sdb4
> $ udisksctl loop-setup -f ~/foo.img
--
My current OpenPGP key:
RSA4096/0x227E8CAAB7AA186C (expires: 2020.10.19)
7077 7781 B859 5166 AE07 0286 227E 8CAA B7AA 186C
^ permalink raw reply [flat|nested] 11+ messages in thread
* udevil - mount tool
2015-11-19 1:08 ` RFC: usermount - a secure mount for unpriviledged users Casper Ti. Vector
@ 2015-11-19 1:53 ` U.Mutlu
2015-11-19 2:21 ` Casper Ti. Vector
0 siblings, 1 reply; 11+ messages in thread
From: U.Mutlu @ 2015-11-19 1:53 UTC (permalink / raw)
To: util-linux
Casper Ti. Vector wrote on 11/19/2015 02:08 AM:
> Also udevil, which might be of particular interest if you happen to
> pursue a system with light dependencies:
> <https://ignorantguru.github.io/udevil/>.
Yes, I like lightweight cmdline tools with light dependencies.
I'll try it out, thx.
Do you happen to know if it has some dangerous options like "bind-mounting"
like the standard "mount" pgm has?
Bind-mounting is a big security risk, really, and that's the sole
reason I was looking for an alternate mount tool for non-root users.
I see it's in the Debian repository; this makes things easier for me
(albeit the description is not very helpful, one could think it's an API :-) :
# aptitude search -F '%p %V %v %d' udevil
udevil 0.4.3-1 <none> Alternative storage media interface
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: udevil - mount tool
2015-11-19 1:53 ` udevil - mount tool U.Mutlu
@ 2015-11-19 2:21 ` Casper Ti. Vector
0 siblings, 0 replies; 11+ messages in thread
From: Casper Ti. Vector @ 2015-11-19 2:21 UTC (permalink / raw)
To: util-linux
> % udevil mount -o bind /dev/sdb1
> udevil: denied 90: option 'bind' is not an allowed option
Since the package is provided on you distro, you can install it and then
search for `allowed_options' in /etc/udevil/udevil.conf (or somewhere
like that; distros sometimes modify installation paths). I think the
default policy is already reasonable; you can still fine-tune it if
necessary, since the mechanism is quite flexible.
On Thu, Nov 19, 2015 at 02:53:04AM +0100, U.Mutlu wrote:
> Do you happen to know if it has some dangerous options like "bind-mounting"
> like the standard "mount" pgm has?
> Bind-mounting is a big security risk, really, and that's the sole
> reason I was looking for an alternate mount tool for non-root users.
--
My current OpenPGP key:
RSA4096/0x227E8CAAB7AA186C (expires: 2020.10.19)
7077 7781 B859 5166 AE07 0286 227E 8CAA B7AA 186C
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: RFC: usermount - a secure mount for unpriviledged users
2015-11-18 17:17 RFC: usermount - a secure mount for unpriviledged users U.Mutlu
2015-11-18 18:24 ` Mantas Mikulėnas
@ 2015-11-19 11:05 ` Karel Zak
2015-11-19 18:07 ` U.Mutlu
1 sibling, 1 reply; 11+ messages in thread
From: Karel Zak @ 2015-11-19 11:05 UTC (permalink / raw)
To: U.Mutlu; +Cc: util-linux
On Wed, Nov 18, 2015 at 06:17:12PM +0100, U.Mutlu wrote:
> Currently no responsible admin can grant permission to the mount pgm
> to his users, because of the dangers inherent with bind-mounting etc.
man mount, "The non-superuser mounts." section.
Karel
--
Karel Zak <kzak@redhat.com>
http://karelzak.blogspot.com
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: RFC: usermount - a secure mount for unpriviledged users
2015-11-19 11:05 ` RFC: usermount - a secure mount for unpriviledged users Karel Zak
@ 2015-11-19 18:07 ` U.Mutlu
2015-11-19 18:18 ` U.Mutlu
0 siblings, 1 reply; 11+ messages in thread
From: U.Mutlu @ 2015-11-19 18:07 UTC (permalink / raw)
To: util-linux
Karel Zak wrote on 11/19/2015 12:05 PM:
> On Wed, Nov 18, 2015 at 06:17:12PM +0100, U.Mutlu wrote:
>> Currently no responsible admin can grant permission to the mount pgm
>> to his users, because of the dangers inherent with bind-mounting etc.
>
> man mount, "The non-superuser mounts." section.
>
> Karel
The man page says:
The non-superuser mounts.
Normally, only the superuser can mount filesystems. However, when fstab
contains the user option on a line, anybody can mount the corresponding
filesystem.
Ok, let's try this out:
/etc/fstab:
...
/home/userx/tmp/myfs1.img /home/userx/tmp/mymnt1 auto user,noauto 0 0
/home/userx/tmp/myfs2.img /home/userx/tmp/mymnt2 auto user,noauto 0 0
userx@mach:~/tmp$ ls -l
-rw-r--r-- 1 userx userx 10485760 Nov 19 02:11 myfs1.img
-rw-r--r-- 1 userx userx 10485760 Nov 17 07:20 myfs2.img
drwxr-xr-x 2 userx userx 4096 Nov 19 18:38 mymnt1
drwxr-xr-x 2 userx userx 4096 Nov 19 18:38 mymnt2
userx@mach:~/tmp$ mount /home/userx/tmp/myfs1.img /home/userx/tmp/mymnt1
mount: only root can do that
So, then why is this not working?
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: RFC: usermount - a secure mount for unpriviledged users
2015-11-19 18:07 ` U.Mutlu
@ 2015-11-19 18:18 ` U.Mutlu
0 siblings, 0 replies; 11+ messages in thread
From: U.Mutlu @ 2015-11-19 18:18 UTC (permalink / raw)
To: util-linux
U.Mutlu wrote on 11/19/2015 07:07 PM:
> Karel Zak wrote on 11/19/2015 12:05 PM:
>> On Wed, Nov 18, 2015 at 06:17:12PM +0100, U.Mutlu wrote:
>>> Currently no responsible admin can grant permission to the mount pgm
>>> to his users, because of the dangers inherent with bind-mounting etc.
>>
>> man mount, "The non-superuser mounts." section.
>>
>> Karel
>
> The man page says:
> The non-superuser mounts.
> Normally, only the superuser can mount filesystems. However, when fstab
> contains the user option on a line, anybody can mount the corresponding
> filesystem.
>
> Ok, let's try this out:
>
> /etc/fstab:
> ...
> /home/userx/tmp/myfs1.img /home/userx/tmp/mymnt1 auto user,noauto 0 0
> /home/userx/tmp/myfs2.img /home/userx/tmp/mymnt2 auto user,noauto 0 0
>
> userx@mach:~/tmp$ ls -l
> -rw-r--r-- 1 userx userx 10485760 Nov 19 02:11 myfs1.img
> -rw-r--r-- 1 userx userx 10485760 Nov 17 07:20 myfs2.img
> drwxr-xr-x 2 userx userx 4096 Nov 19 18:38 mymnt1
> drwxr-xr-x 2 userx userx 4096 Nov 19 18:38 mymnt2
>
> userx@mach:~/tmp$ mount /home/userx/tmp/myfs1.img /home/userx/tmp/mymnt1
> mount: only root can do that
>
> So, then why is this not working?
Ok, it now works when doing so:
$ userx@mach:~/tmp$ mount ./mymnt1
and unmounting
$ userx@mach:~/tmp$ umount ./mymnt1
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: mount-user.c
2015-11-19 0:53 ` mount-user.c U.Mutlu
@ 2015-12-03 20:06 ` Michael Conrad
2015-12-04 7:32 ` mount-user.c U.Mutlu
0 siblings, 1 reply; 11+ messages in thread
From: Michael Conrad @ 2015-12-03 20:06 UTC (permalink / raw)
To: U.Mutlu, util-linux
Your script is vulnerable to PATH changes. Also be aware of
LD_LIBRARY_PATH attacks. If you write a custom c program it should
probably call the mount syscall directly.
But, you seem to forget the *most* dangerous mount abilities, which are
device nodes and set-uid binaries. Consider forcing nodev, noexec, and
nosuid.
Also the "--move" and "--remount" options aren't safe.
And these are just the problems I know about...
-Mike
On 11/18/2015 7:53 PM, U.Mutlu wrote:
> Mantas Mikulėnas wrote on 11/18/2015 07:24 PM:
>> On 2015-11-18 19:17, U.Mutlu wrote:
>>> Currently no responsible admin can grant permission to the mount pgm
>>> to his users, because of the dangers inherent with bind-mounting etc.
>>>
>>> I suggest there should be an additional mount program destined for
>>> unpriviledged users (to be used via sudo).
>>>
>>> It should be a stripped down version of the mount pgm, with only some
>>> basic options for mounting, but without the dangerous options like
>>> bind-mount.
>>>
>>> The new program should of course have a different name, for example
>>> "usermount".
>>>
>>> I think this is the most clean solution to this problem.
>>>
>>> Users are intessted in mounting their own filesystems into
>>> their own mountpoints, ie. they don't neccesserily need fstab or
>>> mtab etc.:
>>> $ mkdir mymnt1 mymnt2
>>> $ sudo usermount myfs.img ./mymnt1
>>> $ sudo usermount my.iso ./mymnt2
>>
>> fwiw, udisks2 already lets you mount removable drives and loop devices
>> under (/run)/media:
>>
>> $ udisksctl mount -b /dev/sdb4
>>
>> $ udisksctl loop-setup -f ~/foo.img
>
> Thanks, I'll check it out.
>
> In the meantime I wrote the following q&d wrapper around mount.
> I think this should be safe:
>
> /*
> mount-user.c
>
> A wrapper to the mount pgm filtering dangerous options like
> bind-mounting.
> Accepts all valid mount options and passes them to mount, except these:
> -B --bind
> -o bind
>
> Compile:
> $ gcc -Wall -O2 mount-user.c -o mount-user
>
> Install:
> # cp -p mount-user /usr/local/bin
> # chown root:root /usr/local/bin/mount-user
> # chmod 755 /usr/local/bin/mount-user
> #
> # and add it to /etc/sudoers, so that permitted users can use it
> like so:
> $ sudo mount-user myfs.img mymntpoint
>
> Advanced usage:
> Use unshare-user (another useful user util by this author) prior
> to make the user mounts hidden from the rest of the system.
>
> History:
> 2015-11-18-We: v0.1b U.Mutlu: Init
>
> */
>
> #include <unistd.h>
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
>
> #define NELEMS(arr) (sizeof(arr) / sizeof(arr[0]))
> #define errExit(msg) do { perror(msg); exit(EXIT_FAILURE); } while (0)
>
> int main(int argc, char* argv[])
> {
> char* aszIllegalOpts[] = { "-B", "--bind", "bind" };
> int i, j;
>
> for (i = 1; i < argc; ++i)
> for (j = 0; j < NELEMS(aszIllegalOpts); ++j)
> if (strstr(argv[i], aszIllegalOpts[j]))
> {
> printf("mount-user: error: illegal mount option '%s'
> given\n",
> aszIllegalOpts[j]);
> return 1;
> }
>
> argv[0] = "mount";
> execvp(argv[0], &argv[0]);
> errExit("mount-user");
> }
>
>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe util-linux" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: mount-user.c
2015-12-03 20:06 ` mount-user.c Michael Conrad
@ 2015-12-04 7:32 ` U.Mutlu
0 siblings, 0 replies; 11+ messages in thread
From: U.Mutlu @ 2015-12-04 7:32 UTC (permalink / raw)
To: util-linux
Michael Conrad wrote on 12/03/2015 09:06 PM:
> Your script is vulnerable to PATH changes. Also be aware of LD_LIBRARY_PATH
> attacks. If you write a custom c program it should probably call the mount
> syscall directly.
>
> But, you seem to forget the *most* dangerous mount abilities, which are device
> nodes and set-uid binaries. Consider forcing nodev, noexec, and nosuid.
>
> Also the "--move" and "--remount" options aren't safe.
>
> And these are just the problems I know about...
>
> -Mike
Thanks Mike for these useful info.
As Karel here posted, mount has also 'non-superuser mounts' (cf. man mount).
I think this one is safer than my wrapper method, I hope at least :-)
--
U.Mutlu
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2015-12-04 7:32 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-11-18 17:17 RFC: usermount - a secure mount for unpriviledged users U.Mutlu
2015-11-18 18:24 ` Mantas Mikulėnas
2015-11-19 0:53 ` mount-user.c U.Mutlu
2015-12-03 20:06 ` mount-user.c Michael Conrad
2015-12-04 7:32 ` mount-user.c U.Mutlu
2015-11-19 1:08 ` RFC: usermount - a secure mount for unpriviledged users Casper Ti. Vector
2015-11-19 1:53 ` udevil - mount tool U.Mutlu
2015-11-19 2:21 ` Casper Ti. Vector
2015-11-19 11:05 ` RFC: usermount - a secure mount for unpriviledged users Karel Zak
2015-11-19 18:07 ` U.Mutlu
2015-11-19 18:18 ` U.Mutlu
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.