Skip site navigation (1)Skip section navigation (2) 
Date:      11 Aug 1999 15:22:03 -0400
From:      Lowell Gilbert <lowell@world.std.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: users mounting filesystems
Message-ID:  <rd6hfm6rulg.fsf@world.std.com>
In-Reply-To: Cillian Sharkey's message of Wed, 11 Aug 1999 14:52:01 %2B0100
References:  <Pine.BSF.4.05.9908111348200.2373-100000@gwdu60.gwdg.de> <37B18001.D2A1881@baker.ie>
next in thread | previous in thread | raw e-mail | index | archive | help 
Cillian Sharkey <cillian@baker.ie> writes:

> > if [ "$USER" = expert ]; then
> >   alias mount='/usr/local/bin/sudo /sbin/mount'
> >   alias umount='/usr/local/bin/sudo /sbin/umount'
> > fi
> 
> Hmm..doing this means that they have access to mount/unmount
> any filesystem they want to (plus override any options in /etc/fstab),
> which is not what I want when they only need to be able to mount a msdos
> floppy disk for example..

Not true, actually.  'sudo' has a facility in the "sudoers" file for
permitting certain users to use sudo only for certain commands.  It even
has pretty extensive alias and wildcard features built in to that
facility.  This allows you to not only limit them to mounting specific
devices, but also to mounting them nosuid -- or even noexec.  This is
very important; if you don't trust people with full access to sudo, you
probably shouldn't trust them with the ability to mount disks with suid
bits enabled either.  The Linux "user" mount option you mentioned in
your original message automatically implies nosuid and noexec.

There are also some questions about how tight control you want to keep
on how many users can do these things at once, and whether users other
than the one who issued the mount command should be able to access the
filesystem.  There are some games you can play with changing the
ownership of the mount points on login, and Andrew J. Korty had some
clever patches (in a now four-month-old PR) for doing similar things
from within the mount and umount commands.  However, these are issues of
the user's security rather than the system's, and may be less important
in many environments.

Be well.
        Lowell Gilbert


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?rd6hfm6rulg.fsf>