On Thu, Jul 30, 2015 at 10:39:22PM +0200, Didier Kryn wrote:
> Le 30/07/2015 01:09, Isaac Dunham a écrit :
> >I'm not sure where in the discussion this fits, but I thought I'd mention
> >it here:
> >Permitting all mount invocations via sudo does have a potential security
> >hole if your mount implementation supports FUSE, as you can run an arbitrary
> >command by specifying the mount type.
> >I don't think that sudo does the necessary steps to block this.
> >
> >If you use a wrapper script, you can make it automatically determine the
> >type and run ntfs-3g if appropriate, then allow sudo to run that.
> >If you use a C wrapper, you can do that and make it suid.
> >
> Isaac, your comment suggests me two questions:
> One: is it really possible to mount a Fuse filesystem with 'mount' ? I
> thought it could only be done with 'fusermount'.
Yes, it is possible.
I've used sshfs in fstab, set up so I could "mount ~/remote-site".
> Two: if the idea is not to allow '/sbin/mount' in sudo, but to allow a
> smart wrapper, is there still an issue?
If the wrapper is smart enough, there isn't.
Of course, that qualifier is a big one.
If I were doing it, I would
* disallow -t fuse (if it's set up in /etc/fstab so as to allow users,
that's OK)
Perhaps one could even disallow "-t" entirely, and rely on autodetection.
* disallow mounting at any directory not owned by or writeable by the user.
Perhaps this could be moderated by ...except that any user can mount
under /media, if they're not overmounting.
I suppose that the second point forces use of a suid helper, rather than
the use of sudo.
Alternately, you could write a wrapper that *always* mounts under
/media, and doesn't accept -t; it just takes a device name, creates an
equivalent name under /media, checks type and whether ntfs-3g is installed,
and passes a suitable type to mount (or uses mount.ntfs-3g).
Thanks,
Isaac Dunham