Le 30/07/2015 01:09, Isaac Dunham a écrit :
> On Thu, Jul 30, 2015 at 12:40:33AM +0200, Didier Kryn wrote:
>> I don't understand the preventions against sudo. It is just up to the
>> administrator to take care, like for everything.
>>
>> Wether execution of the command is allowed by sudo, by a setuid bit or
>> by policykit does not change the result. Sudo is simply the most versatile
>> method to allow/disallow actions, IMHO far easier to configure than
>> policykit. Don't forget that allowed commands may (should) be specified with
>> their absolute path, therefore bypassing PATH. It is better than having a
>> specialized daemon for this and that, because it keeps everything configured
>> in one well known file.
>>
>> In the case of mounting usb sticks, this applies to a personal computer,
>> where the owner is also the administrator. For conveniency, a limited list
>> of actions may be allowed without password, like mounting a usb key.
>
> I'm not sure where in the discussion this fits, but I thought I'd mention
> it here:
> Permitting all mount invocations via sudo does have a potential security
> hole if your mount implementation supports FUSE, as you can run an arbitrary
> command by specifying the mount type.
> I don't think that sudo does the necessary steps to block this.
>
> If you use a wrapper script, you can make it automatically determine the
> type and run ntfs-3g if appropriate, then allow sudo to run that.
> If you use a C wrapper, you can do that and make it suid.
>
>
Isaac, your comment suggests me two questions:
One: is it really possible to mount a Fuse filesystem with 'mount'
? I thought it could only be done with 'fusermount'.
Two: if the idea is not to allow '/sbin/mount' in sudo, but to
allow a smart wrapper, is there still an issue?
Didier