Le 30/07/2015 01:09, Isaac Dunham a écrit :
On Thu, Jul 30, 2015 at 12:40:33AM +0200, Didier Kryn wrote:
I don't understand the preventions against sudo. It is just up to the
administrator to take care, like for everything.
Wether execution of the command is allowed by sudo, by a setuid bit or
by policykit does not change the result. Sudo is simply the most versatile
method to allow/disallow actions, IMHO far easier to configure than
policykit. Don't forget that allowed commands may (should) be specified with
their absolute path, therefore bypassing PATH. It is better than having a
specialized daemon for this and that, because it keeps everything configured
in one well known file.
In the case of mounting usb sticks, this applies to a personal computer,
where the owner is also the administrator. For conveniency, a limited list
of actions may be allowed without password, like mounting a usb key.
I'm not sure where in the discussion this fits, but I thought I'd mention
it here:
Permitting all mount invocations via sudo does have a potential security
hole if your mount implementation supports FUSE, as you can run an arbitrary
command by specifying the mount type.
I don't think that sudo does the necessary steps to block this.
If you use a wrapper script, you can make it automatically determine the
type and run ntfs-3g if appropriate, then allow sudo to run that.
If you use a C wrapper, you can do that and make it suid.
Isaac, your comment suggests me two questions:
One: is it really possible to mount a Fuse filesystem with 'mount'
? I thought it could only be done with 'fusermount'.
Two: if the idea is not to allow '/sbin/mount' in sudo, but to
allow a smart wrapper, is there still an issue?
Didier
_______________________________________________
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
