On Sat, Aug 01, 2015 at 08:49:55AM -0700, Isaac Dunham wrote:

> On Thu, Jul 30, 2015 at 10:39:22PM +0200, Didier Kryn wrote:
> >     Isaac, your comment suggests me two questions:
> >     One: is it really possible to mount a Fuse filesystem with 'mount' ? I
> > thought it could only be done with 'fusermount'.

>
> Yes, it is possible.
> I've used sshfs in fstab, set up so I could "mount ~/remote-site".

Presumably the fstab entry specified sshfs. Aren't the restrictions
that sshfs itself imposes already enough? It requires that
~/remote_site be owned by the user executing sshfs, and also that the
user have the correct password to log in to the remote system.

Not even root can access an sshfs file system that I've mounted as
myself.

>

> >     Two: if the idea is not to allow '/sbin/mount' in sudo, but to allow a
> > smart wrapper, is there still an issue?

>
> If the wrapper is smart enough, there isn't.
> Of course, that qualifier is a big one.
>
> If I were doing it, I would
> * disallow -t fuse (if it's set up in /etc/fstab so as to allow users,
> that's OK)
> Perhaps one could even disallow "-t" entirely, and rely on autodetection.
> * disallow mounting at any directory not owned by or writeable by the user.
> Perhaps this could be moderated by ...except that any user can mount
> under /media, if they're not overmounting.

sshfs does this itself.

At present, what defines which user file systems can be a fuser file
system? Perhaps it's the user file systems themselves that should
enforce the security restrictions on their use, as I understand sshfs
to do now.

-- hendrik