Date: 24 Mar 2000 08:39:29 -0500 From: Lowell Gilbert <lowell@world.std.com> To: freebsd-questions@freebsd.org Subject: Re: mounting floppies and cd's Message-ID: <rd6r9d0v65q.fsf@world.std.com> In-Reply-To: Marc Silver's message of Fri, 24 Mar 2000 08:02:03 %2B0200 References: <38D9F4A1.997811ED@bluewin.ch> <20000324080203.F59219@draenor.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Marc Silver <marcs@draenor.org> writes: > As far as I know there isn't something like this in FreeBSD. Well, there's the vfs.usermount sysctl, which allows regular users to mount devices onto the filesystem tree. It's a little different in that it can't be set for some filesystems and not others, but it does address most of the same security concerns. It's still something you'd want to keep away from users who are actually malicious, though. > What you're doing there is setting the binary as setuid which allows > people to execute it as root, and allows them to mount/unmount the CD. That suid program looks okay, but you would want the nosuid and nodev options on that filesystem in your fstab. I'd recommend rdonly as well, and noexec might even be a good idea. A carefully configured sudo setting should be even safer. It's important to remember that mounting filesystems really is a security concern, and there are good reasons for requiring the root password or equivalent in order to change them. Applying the suid program as posted, without the nosuid and nodev options, is essentially giving root powers to anyone on the system who wants to get them. Accordingly, it's only appropriate in situations (like personal workstations) where everyone who can log in to the machine really is trusted with the root password. Even then, it's unnecessarily risky, particularly if the machine is connected to the Internet. Be well. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?rd6r9d0v65q.fsf>