[plug] Just started with linux, need help

Christian christian at global.net.au
Tue Oct 5 10:04:33 WST 1999 

Greg Mildenhall wrote:
> 
> On Mon, 4 Oct 1999, Christian wrote:
> > Brad Campbell wrote:
> > > Have you checked, that the user your trying to mount from has the 'user'
> > > group in thier list.
> > > Or possibly the cdrom, disk, or floppy group ?
> > You don't have to be in any specials groups at all to be able to mount
> > devices specified with the "user" option in fstab.  *Any* user can mount
> > the device if this option is enabled.
> 
> Really? I'd be absolutely shocked if the kernel's behaviour was affected
> by a file in /etc at runtime. I'm _sure_ you still have to be root to
> mount a volume, regardless of the contents of fstab. AFAIU, fstab is
> entirely for the benefit of the mount program. As such, you will need to
> have permission to run mount as root. For this, mount must be SUID, be
> owned by user root, and belong some group of which you are a member, (or
> else world executable, which is not a good idea) 

Ok, I guess if we're going to be ridiculously precise in our
explanations then I should have said "*Any* user can mount the device if
this option is enabled *and* they are able to run the setuid-root
mount(8) binary."  Given the fact that every single Linux distribution I
can ever remember using has shipped with mount setuid-root and world
executable, my omission seems, at most, small.  Especially when you
remember that the explanation was primarily there for the sake of
someone who is probably still grappling with the concepts of
permissions, groups and owners - let alone set[ug]id bits!

Interestingly, the manual page for mount(8) virtually assumes (in a very
similar way to what I did!) that mount will be setuid root and world
executable.  For example:

       (iii) Normally, only the superuser can mount file systems.
       However, when fstab contains the user option  on  a  line,
       then _anybody_ can mount the corresponding system.

       Thus, given a line
              /dev/cdrom  /cd  iso9660  ro,user,noauto,unhide
       _any_  user  can  mount the iso9660 file system found on his
       CDROM using the command
              mount /dev/cdrom

	...

              user   Allow _an ordinary user_  to  mount  the  file
                     system.   This  option  implies  the options
                     noexec, nosuid, and nodev (unless overridden
                     by subsequent options, as in the option line
                     user,exec,dev,suid).

(emphasis added).

Perhaps we should be emailing the distributions asking them that they
correct all their manual pages - after all, if my omission of the fact
that mount(8) needs to be setuid-root and world executable is worthy of
note when explaining the issue to a newbie, then surely manual pages
(which explain the issue to everyone!) should be correct...  Or maybe we
won't bother and accept the fact that mount(8) is setuid-root and world
executable by default (very much standard) and that if an administrator
decides to change this (either by removing the setuid bit or by o-rx)
then they realise they are deliberately *breaking* correct, intended,
documented system behaviour and that they accept this.

As for the danger from making mount setuid-root and world executable, I
don't know of any *current* buffer overflows or such in mount - if
someone here knows something the rest of the world doesn't then maybe
you should share. :-)  On a multiuser system allowing interactive logins
then removing user access (or set[ug]id) bits) from set[ug]id programs
would be a security measure worth considering - on a (mostly)
single-user workstation, it's hardly an issue except that it adds
inconvenience.

Regards,

Christian.

-- 
Stone's Law:
	One man's "simple" is another man's "huh?"

More information about the plug mailing list