:: Re: [DNG] automount, mount, and USB…
Top Page
Delete this message
Reply to this message
Author: Rob Owens
Date:  
To: Isaac Dunham
CC: dng
Subject: Re: [DNG] automount, mount, and USB sticks
----- Original Message -----
> From: "Isaac Dunham" <ibid.ag@???>
> I'm not sure where in the discussion this fits, but I thought I'd mention
> it here:
> Permitting all mount invocations via sudo does have a potential security
> hole if your mount implementation supports FUSE, as you can run an arbitrary
> command by specifying the mount type.
> I don't think that sudo does the necessary steps to block this.
>
> If you use a wrapper script, you can make it automatically determine the
> type and run ntfs-3g if appropriate, then allow sudo to run that.
> If you use a C wrapper, you can do that and make it suid.
>

Another reason not to give users wholesale access to the mount command is that
they could then 'mount -o remount,rw' any filesystem that the administrator
has mounted read-only. To protect against this, I think you probably need
something a bit more complicated than just sudo. Of course, for a single
user system, this is not a problem.

-Rob