On Thu, Jul 30, 2015 at 10:39:22PM +0200, Didier Kryn wrote: > Le 30/07/2015 01:09, Isaac Dunham a écrit : > >I'm not sure where in the discussion this fits, but I thought I'd mention > >it here: > >Permitting all mount invocations via sudo does have a potential security > >hole if your mount implementation supports FUSE, as you can run an arbitrary > >command by specifying the mount type. > >I don't think that sudo does the necessary steps to block this. > > > >If you use a wrapper script, you can make it automatically determine the > >type and run ntfs-3g if appropriate, then allow sudo to run that. > >If you use a C wrapper, you can do that and make it suid. > > > Isaac, your comment suggests me two questions: > One: is it really possible to mount a Fuse filesystem with 'mount' ? I > thought it could only be done with 'fusermount'.
Yes, it is possible. I've used sshfs in fstab, set up so I could "mount ~/remote-site". > Two: if the idea is not to allow '/sbin/mount' in sudo, but to allow a > smart wrapper, is there still an issue? If the wrapper is smart enough, there isn't. Of course, that qualifier is a big one. If I were doing it, I would * disallow -t fuse (if it's set up in /etc/fstab so as to allow users, that's OK) Perhaps one could even disallow "-t" entirely, and rely on autodetection. * disallow mounting at any directory not owned by or writeable by the user. Perhaps this could be moderated by ...except that any user can mount under /media, if they're not overmounting. I suppose that the second point forces use of a suid helper, rather than the use of sudo. Alternately, you could write a wrapper that *always* mounts under /media, and doesn't accept -t; it just takes a device name, creates an equivalent name under /media, checks type and whether ntfs-3g is installed, and passes a suitable type to mount (or uses mount.ntfs-3g). Thanks, Isaac Dunham _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
