> >
> > 1) Only allow mount over a directory for which the user has write
> > access (and is not sticky)
> >
> > 2) Use nosuid,nodev mount options
> >
> > [ parts deleted ]
>
> Do these solve all the security concerns with unprivileged mounts, or
> are there other barriers/concerns? Should there be ulimit (or rlimit)
> style restrictions on how many mounts/binds a user is allowed to have
> to prevent users from abusing mount privs?
Currently there is a (configurable) global limit for all non-root FUSE
mounts. An additional per-user limit would be nice, but from the
security standpoint it doesn't matter.
> I was thinking about this a while back and thought having a user-mount
> permissions file might be the right way to address lots of these
> issues. Essentially it would contain information about what
> users/groups were allowed to mount what sources to what destinations
> and with what mandatory options.
I haven't yet seen the need for such a great flexibility. Debian
installs fusermount (the FUSE mount utility) "-rwsr-x--- root fuse",
so only users in the "fuse" group are allowed to use it. This is sane
for a new technology, but I expect these limitations to be removed
once it establishes itsef as a secure solution.
> You can get the start of this with the user/users/etc. stuff in
> /etc/fstab, but I was envisioning something a bit more dynamic with
> regular expression based rules for sources and destinations. So,
> something like:
[snip]
> Is this unnecessary? Is this not enough?
Maybe it is necessary, but why bother until somebody actually wants
it? I'm a great believer of the "lazy" development philosophy ;)
Thanks,
Miklos
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]