RFC: usermount - a secure mount for unpriviledged users

RFC: usermount - a secure mount for unpriviledged users

[U.Mutlu]

Currently no responsible admin can grant permission to the mount pgm
to his users, because of the dangers inherent with bind-mounting etc.

I suggest there should be an additional mount program destined for
unpriviledged users (to be used via sudo).

It should be a stripped down version of the mount pgm, with only some
basic options for mounting, but without the dangerous options like bind-mount.

The new program should of course have a different name, for example "usermount".

I think this is the most clean solution to this problem.

Users are intessted in mounting their own filesystems into
their own mountpoints, ie. they don't neccesserily need fstab or mtab etc.:
   $ mkdir mymnt1 mymnt2
   $ sudo usermount myfs.img ./mymnt1
   $ sudo usermount my.iso   ./mymnt2

I think the current author(s)/maintainer(s) of the mount pgm (Karel?)
should make and add such a stripped down usermount pgm to util-linux,
since they know mount the best.

Re: RFC: usermount - a secure mount for unpriviledged users

[Mantas Mikulėnas]

On 2015-11-18 19:17, U.Mutlu wrote:
> Currently no responsible admin can grant permission to the mount pgm
> to his users, because of the dangers inherent with bind-mounting etc.
> 
> I suggest there should be an additional mount program destined for
> unpriviledged users (to be used via sudo).
> 
> It should be a stripped down version of the mount pgm, with only some
> basic options for mounting, but without the dangerous options like
> bind-mount.
> 
> The new program should of course have a different name, for example
> "usermount".
> 
> I think this is the most clean solution to this problem.
> 
> Users are intessted in mounting their own filesystems into
> their own mountpoints, ie. they don't neccesserily need fstab or mtab etc.:
>   $ mkdir mymnt1 mymnt2
>   $ sudo usermount myfs.img ./mymnt1
>   $ sudo usermount my.iso   ./mymnt2

fwiw, udisks2 already lets you mount removable drives and loop devices
under (/run)/media:

  $ udisksctl mount -b /dev/sdb4

  $ udisksctl loop-setup -f ~/foo.img

-- 
Mantas Mikulėnas <grawity@gmail.com>

mount-user.c

[U.Mutlu]

Mantas Mikulėnas wrote on 11/18/2015 07:24 PM:
> On 2015-11-18 19:17, U.Mutlu wrote:
>> Currently no responsible admin can grant permission to the mount pgm
>> to his users, because of the dangers inherent with bind-mounting etc.
>>
>> I suggest there should be an additional mount program destined for
>> unpriviledged users (to be used via sudo).
>>
>> It should be a stripped down version of the mount pgm, with only some
>> basic options for mounting, but without the dangerous options like
>> bind-mount.
>>
>> The new program should of course have a different name, for example
>> "usermount".
>>
>> I think this is the most clean solution to this problem.
>>
>> Users are intessted in mounting their own filesystems into
>> their own mountpoints, ie. they don't neccesserily need fstab or mtab etc.:
>>    $ mkdir mymnt1 mymnt2
>>    $ sudo usermount myfs.img ./mymnt1
>>    $ sudo usermount my.iso   ./mymnt2
>
> fwiw, udisks2 already lets you mount removable drives and loop devices
> under (/run)/media:
>
>    $ udisksctl mount -b /dev/sdb4
>
>    $ udisksctl loop-setup -f ~/foo.img

Thanks, I'll check it out.

In the meantime I wrote the following q&d wrapper around mount.
I think this should be safe:

/*
   mount-user.c

   A wrapper to the mount pgm filtering dangerous options like bind-mounting.
   Accepts all valid mount options and passes them to mount, except these:
     -B  --bind
     -o bind

   Compile:
     $ gcc -Wall -O2 mount-user.c -o mount-user

   Install:
     # cp -p mount-user /usr/local/bin
     # chown root:root /usr/local/bin/mount-user
     # chmod 755 /usr/local/bin/mount-user
     #
     # and add it to /etc/sudoers, so that permitted users can use it like so:
        $ sudo mount-user myfs.img mymntpoint

   Advanced usage:
     Use unshare-user (another useful user util by this author) prior
     to make the user mounts hidden from the rest of the system.

   History:
     2015-11-18-We: v0.1b U.Mutlu: Init

*/

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define NELEMS(arr)  (sizeof(arr) / sizeof(arr[0]))
#define errExit(msg) do { perror(msg); exit(EXIT_FAILURE); } while (0)

int main(int argc, char* argv[])
   {
     char* aszIllegalOpts[] = { "-B", "--bind", "bind" };
     int i, j;

     for (i = 1; i < argc; ++i)
       for (j = 0; j < NELEMS(aszIllegalOpts); ++j)
         if (strstr(argv[i], aszIllegalOpts[j]))
           {
             printf("mount-user: error: illegal mount option '%s' given\n",
               aszIllegalOpts[j]);
             return 1;
           }

     argv[0] = "mount";
     execvp(argv[0], &argv[0]);
     errExit("mount-user");
   }

Re: RFC: usermount - a secure mount for unpriviledged users

[Casper Ti. Vector]

Also udevil, which might be of particular interest if you happen to
pursue a system with light dependencies:
<https://ignorantguru.github.io/udevil/>.

On Wed, Nov 18, 2015 at 08:24:19PM +0200, Mantas Mikulėnas wrote:
> fwiw, udisks2 already lets you mount removable drives and loop devices
> under (/run)/media:
> 
>   $ udisksctl mount -b /dev/sdb4
>   $ udisksctl loop-setup -f ~/foo.img

-- 
My current OpenPGP key:
RSA4096/0x227E8CAAB7AA186C (expires: 2020.10.19)
7077 7781 B859 5166 AE07 0286 227E 8CAA B7AA 186C

udevil - mount tool

[U.Mutlu]

Casper Ti. Vector wrote on 11/19/2015 02:08 AM:
> Also udevil, which might be of particular interest if you happen to
> pursue a system with light dependencies:
> <https://ignorantguru.github.io/udevil/>.

Yes, I like lightweight cmdline tools with light dependencies.
I'll try it out, thx.

Do you happen to know if it has some dangerous options like "bind-mounting" 
like the standard "mount" pgm has?
Bind-mounting is a big security risk, really, and that's the sole
reason I was looking for an alternate mount tool for non-root users.

I see it's in the Debian repository; this makes things easier for me
(albeit the description is not very helpful, one could think it's an API :-) :
# aptitude search -F '%p %V %v %d' udevil
udevil  0.4.3-1  <none>  Alternative storage media interface

Re: udevil - mount tool

[Casper Ti. Vector]

> % udevil mount -o bind /dev/sdb1
> udevil: denied 90: option 'bind' is not an allowed option

Since the package is provided on you distro, you can install it and then
search for `allowed_options' in /etc/udevil/udevil.conf (or somewhere
like that; distros sometimes modify installation paths).  I think the
default policy is already reasonable; you can still fine-tune it if
necessary, since the mechanism is quite flexible.

On Thu, Nov 19, 2015 at 02:53:04AM +0100, U.Mutlu wrote:
> Do you happen to know if it has some dangerous options like "bind-mounting" 
> like the standard "mount" pgm has?
> Bind-mounting is a big security risk, really, and that's the sole
> reason I was looking for an alternate mount tool for non-root users.

-- 
My current OpenPGP key:
RSA4096/0x227E8CAAB7AA186C (expires: 2020.10.19)
7077 7781 B859 5166 AE07 0286 227E 8CAA B7AA 186C

Re: RFC: usermount - a secure mount for unpriviledged users

[Karel Zak]

On Wed, Nov 18, 2015 at 06:17:12PM +0100, U.Mutlu wrote:
> Currently no responsible admin can grant permission to the mount pgm
> to his users, because of the dangers inherent with bind-mounting etc.

man mount, "The non-superuser mounts." section.

    Karel

-- 
 Karel Zak  <kzak@redhat.com>
 http://karelzak.blogspot.com

Re: RFC: usermount - a secure mount for unpriviledged users

[U.Mutlu]

Karel Zak wrote on 11/19/2015 12:05 PM:
> On Wed, Nov 18, 2015 at 06:17:12PM +0100, U.Mutlu wrote:
>> Currently no responsible admin can grant permission to the mount pgm
>> to his users, because of the dangers inherent with bind-mounting etc.
>
> man mount, "The non-superuser mounts." section.
>
>      Karel

The man page says:
  The non-superuser mounts.
  Normally, only the superuser can mount filesystems. However, when fstab
  contains the user option on a line, anybody can mount the corresponding 
filesystem.

Ok, let's try this out:

/etc/fstab:
...
/home/userx/tmp/myfs1.img /home/userx/tmp/mymnt1 auto user,noauto 0 0
/home/userx/tmp/myfs2.img /home/userx/tmp/mymnt2 auto user,noauto 0 0

userx@mach:~/tmp$ ls -l
-rw-r--r-- 1 userx userx 10485760 Nov 19 02:11 myfs1.img
-rw-r--r-- 1 userx userx 10485760 Nov 17 07:20 myfs2.img
drwxr-xr-x 2 userx userx     4096 Nov 19 18:38 mymnt1
drwxr-xr-x 2 userx userx     4096 Nov 19 18:38 mymnt2

userx@mach:~/tmp$ mount /home/userx/tmp/myfs1.img /home/userx/tmp/mymnt1
mount: only root can do that

So, then why is this not working?

Re: RFC: usermount - a secure mount for unpriviledged users

[U.Mutlu]

U.Mutlu wrote on 11/19/2015 07:07 PM:
> Karel Zak wrote on 11/19/2015 12:05 PM:
>> On Wed, Nov 18, 2015 at 06:17:12PM +0100, U.Mutlu wrote:
>>> Currently no responsible admin can grant permission to the mount pgm
>>> to his users, because of the dangers inherent with bind-mounting etc.
>>
>> man mount, "The non-superuser mounts." section.
>>
>>      Karel
>
> The man page says:
>   The non-superuser mounts.
>   Normally, only the superuser can mount filesystems. However, when fstab
>   contains the user option on a line, anybody can mount the corresponding
> filesystem.
>
> Ok, let's try this out:
>
> /etc/fstab:
> ...
> /home/userx/tmp/myfs1.img /home/userx/tmp/mymnt1 auto user,noauto 0 0
> /home/userx/tmp/myfs2.img /home/userx/tmp/mymnt2 auto user,noauto 0 0
>
> userx@mach:~/tmp$ ls -l
> -rw-r--r-- 1 userx userx 10485760 Nov 19 02:11 myfs1.img
> -rw-r--r-- 1 userx userx 10485760 Nov 17 07:20 myfs2.img
> drwxr-xr-x 2 userx userx     4096 Nov 19 18:38 mymnt1
> drwxr-xr-x 2 userx userx     4096 Nov 19 18:38 mymnt2
>
> userx@mach:~/tmp$ mount /home/userx/tmp/myfs1.img /home/userx/tmp/mymnt1
> mount: only root can do that
>
> So, then why is this not working?

Ok, it now works when doing so:
$ userx@mach:~/tmp$ mount ./mymnt1

and unmounting
$ userx@mach:~/tmp$ umount ./mymnt1

Re: mount-user.c

[Michael Conrad]

Your script is vulnerable to PATH changes.  Also be aware of 
LD_LIBRARY_PATH attacks.  If you write a custom c program it should 
probably call the mount syscall directly.

But, you seem to forget the *most* dangerous mount abilities, which are 
device nodes and set-uid binaries.  Consider forcing nodev, noexec, and 
nosuid.

Also the "--move" and "--remount" options aren't safe.

And these are just the problems I know about...

-Mike

On 11/18/2015 7:53 PM, U.Mutlu wrote:
> Mantas Mikulėnas wrote on 11/18/2015 07:24 PM:
>> On 2015-11-18 19:17, U.Mutlu wrote:
>>> Currently no responsible admin can grant permission to the mount pgm
>>> to his users, because of the dangers inherent with bind-mounting etc.
>>>
>>> I suggest there should be an additional mount program destined for
>>> unpriviledged users (to be used via sudo).
>>>
>>> It should be a stripped down version of the mount pgm, with only some
>>> basic options for mounting, but without the dangerous options like
>>> bind-mount.
>>>
>>> The new program should of course have a different name, for example
>>> "usermount".
>>>
>>> I think this is the most clean solution to this problem.
>>>
>>> Users are intessted in mounting their own filesystems into
>>> their own mountpoints, ie. they don't neccesserily need fstab or 
>>> mtab etc.:
>>>    $ mkdir mymnt1 mymnt2
>>>    $ sudo usermount myfs.img ./mymnt1
>>>    $ sudo usermount my.iso   ./mymnt2
>>
>> fwiw, udisks2 already lets you mount removable drives and loop devices
>> under (/run)/media:
>>
>>    $ udisksctl mount -b /dev/sdb4
>>
>>    $ udisksctl loop-setup -f ~/foo.img
>
> Thanks, I'll check it out.
>
> In the meantime I wrote the following q&d wrapper around mount.
> I think this should be safe:
>
> /*
>   mount-user.c
>
>   A wrapper to the mount pgm filtering dangerous options like 
> bind-mounting.
>   Accepts all valid mount options and passes them to mount, except these:
>     -B  --bind
>     -o bind
>
>   Compile:
>     $ gcc -Wall -O2 mount-user.c -o mount-user
>
>   Install:
>     # cp -p mount-user /usr/local/bin
>     # chown root:root /usr/local/bin/mount-user
>     # chmod 755 /usr/local/bin/mount-user
>     #
>     # and add it to /etc/sudoers, so that permitted users can use it 
> like so:
>        $ sudo mount-user myfs.img mymntpoint
>
>   Advanced usage:
>     Use unshare-user (another useful user util by this author) prior
>     to make the user mounts hidden from the rest of the system.
>
>   History:
>     2015-11-18-We: v0.1b U.Mutlu: Init
>
> */
>
> #include <unistd.h>
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
>
> #define NELEMS(arr)  (sizeof(arr) / sizeof(arr[0]))
> #define errExit(msg) do { perror(msg); exit(EXIT_FAILURE); } while (0)
>
> int main(int argc, char* argv[])
>   {
>     char* aszIllegalOpts[] = { "-B", "--bind", "bind" };
>     int i, j;
>
>     for (i = 1; i < argc; ++i)
>       for (j = 0; j < NELEMS(aszIllegalOpts); ++j)
>         if (strstr(argv[i], aszIllegalOpts[j]))
>           {
>             printf("mount-user: error: illegal mount option '%s' 
> given\n",
>               aszIllegalOpts[j]);
>             return 1;
>           }
>
>     argv[0] = "mount";
>     execvp(argv[0], &argv[0]);
>     errExit("mount-user");
>   }
>
>
>
>
> -- 
> To unsubscribe from this list: send the line "unsubscribe util-linux" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: mount-user.c

[U.Mutlu]

Michael Conrad wrote on 12/03/2015 09:06 PM:
> Your script is vulnerable to PATH changes.  Also be aware of LD_LIBRARY_PATH
> attacks.  If you write a custom c program it should probably call the mount
> syscall directly.
>
> But, you seem to forget the *most* dangerous mount abilities, which are device
> nodes and set-uid binaries.  Consider forcing nodev, noexec, and nosuid.
>
> Also the "--move" and "--remount" options aren't safe.
>
> And these are just the problems I know about...
>
> -Mike

Thanks Mike for these useful info.

As Karel here posted, mount has also 'non-superuser mounts' (cf. man mount).
I think this one is safer than my wrapper method, I hope at least :-)

-- 
U.Mutlu