Why 'mount' utils nees a setuid bit? - Security

This is a discussion on Why 'mount' utils nees a setuid bit? - Security ; As we all known , in most case , 'mount ' can only be used by root . But why does it needs a setuid bit by default ? Can a common user use 'mount' program successfully ? What changes ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: Why 'mount' utils nees a setuid bit?

  1. Why 'mount' utils nees a setuid bit?

    As we all known , in most case , 'mount ' can only be used by root .

    But why does it needs a setuid bit by default ?

    Can a common user use 'mount' program successfully ?

    What changes must be made in a system without sudo utils .

  2. Re: Why 'mount' utils nees a setuid bit?

    xi4oyu wrote:

    > As we all known , in most case , 'mount ' can only be used by root .


    Wrong.


    > But why does it needs a setuid bit by default ?
    >
    > Can a common user use 'mount' program successfully ?


    Yes. A regular user can mount entries in /etc/fstab with the 'user' or
    'users' option set.


    > What changes must be made in a system without sudo utils .


    None. Write a proper filesystem table in /etc/fstab.


    Regards,
    Ertugrul.


    --
    http://ertes.de/


  3. Re: Why 'mount' utils nees a setuid bit?

    xi4oyu writes:

    >As we all known , in most case , 'mount ' can only be used by root .


    >But why does it needs a setuid bit by default ?


    >Can a common user use 'mount' program successfully ?


    Yes. If you let him. That is what the users option in /etc/fstab lines are
    about.

    >What changes must be made in a system without sudo utils .


    ???? Install the sudo utilities?


  4. Re: Why 'mount' utils nees a setuid bit?

    Ertugrul Söylemez wrote:

    >> As we all known , in most case , 'mount ' can only be used by root .

    >
    > Wrong.


    Actually, the mount(2) manual page confirms the OP's statement:
    (from mount(2) on a Linux system; other systems may vary)

    Only the super-user may mount and unmount filesystems.

    However ...

    > .... A regular user can mount entries in /etc/fstab with the 'user'
    > or 'users' option set.


    .... if said regular user is able to run "mount" with super-user
    privileges, thus the setuid bit on the mount(8) binary.

    >> What changes must be made in a system without sudo utils .

    >
    > None. Write a proper filesystem table in /etc/fstab.


    agreed ...

    --
    ----------------------------------------------------------------------
    Sylvain Robitaille syl@alcor.concordia.ca

    Network and Systems analyst Concordia University
    Instructional & Information Technology Montreal, Quebec, Canada
    ----------------------------------------------------------------------

  5. Re: Why 'mount' utils nees a setuid bit?

    Sylvain Robitaille wrote:

    > >> As we all known , in most case , 'mount ' can only be used by root
    > >> .

    > >
    > > Wrong.

    >
    > Actually, the mount(2) manual page confirms the OP's statement: (from
    > mount(2) on a Linux system; other systems may vary)
    >
    > Only the super-user may mount and unmount filesystems.


    Pay closer attention. You're confusing the syscall mount(2) with the
    command line utility mount(8). For the syscall, the statement is true,
    because it can only be used by processes with effective user-id 0
    (i.e. root), or with proper capabilities. This is, what the SetUID bit
    is good for.


    Regards,
    Ertugrul.


    --
    http://ertes.de/


  6. Re: Why 'mount' utils nees a setuid bit?

    well , there exists some differents to mount a filesytem if you are a
    normal user.
    Even if root has added user options in /etc/fstab , user then can
    mount the filesytem . But it seems that the setuid program in the
    newly mounted FS doesn't a truley setuid program , Even you use ls -
    l ,the result like :

    [test@localhost mnt]$ ls -l
    total 52
    -rwsr-sr-x 1 root root 38468 Apr 17 15:47 chmod
    drwx------ 2 root root 12288 Apr 17 15:42 lost+found

    but the chmod can't turely take efforts on the root's file

    The OS must be designed to take care of this secure issue.

  7. Re: Why 'mount' utils nees a setuid bit?

    Ertugrul Söylemez wrote:

    >> Actually, the mount(2) manual page confirms the OP's statement: (from
    >> mount(2) on a Linux system; other systems may vary)
    >>
    >> Only the super-user may mount and unmount filesystems.

    >
    > Pay closer attention. You're confusing the syscall mount(2) with the
    > command line utility mount(8).


    I'm not. I made a point of clarifying that I was referring to the
    system call's manual page. How do you suppose that mount(8)
    accomplishes the task of actually mounting a filesystem? It calls
    mount(2), which requires euid==0.

    > For the syscall, the statement is true, because it can only be used by
    > processes with effective user-id 0 (i.e. root), or with proper
    > capabilities. This is, what the SetUID bit is good for.


    My point exactly, and the answer to the OP's question.

    --
    ----------------------------------------------------------------------
    Sylvain Robitaille syl@alcor.concordia.ca

    Network and Systems analyst Concordia University
    Instructional & Information Technology Montreal, Quebec, Canada
    ----------------------------------------------------------------------

  8. Re: Why 'mount' utils nees a setuid bit?

    In article ,
    xi4oyu writes:
    >well , there exists some differents to mount a filesytem if you are a
    >normal user.
    >Even if root has added user options in /etc/fstab , user then can
    >mount the filesytem . But it seems that the setuid program in the
    >newly mounted FS doesn't a truley setuid program , Even you use ls -
    >l ,the result like :
    >
    >[test@localhost mnt]$ ls -l
    >total 52
    >-rwsr-sr-x 1 root root 38468 Apr 17 15:47 chmod
    >drwx------ 2 root root 12288 Apr 17 15:42 lost+found
    >
    >but the chmod can't turely take efforts on the root's file
    >
    >The OS must be designed to take care of this secure issue.


    That's a different issue than why mount needs setuid.

    It's reasonably common to ignore setuid on user-mounted
    file systems and/or NFS mounted systems. It's a security
    issue. setuid would allow anybody who could do a user-mount
    to take over the system. (All they would need is a setuid script
    that started a shell. Poof, you are root.)

    --
    These are my opinions, not necessarily my employer's. I hate spam.


  9. Re: Why 'mount' utils nees a setuid bit?

    xi4oyu wrote:
    > As we all known , in most case , 'mount ' can only be used by root .
    >
    > But why does it needs a setuid bit by default ?
    >
    > Can a common user use 'mount' program successfully ?
    >
    > What changes must be made in a system without sudo utils .


    Linux is a multi-user system. Devices can be used by
    more than one user. So who gets to own the rights to
    perform the operation?

    Now... with that said, there could be a day when a
    non-root user (but system wide user) is the "owner"
    of the privs for doing a mount, but there will always
    be some kind of system wide policeman. And it is
    a policeman in that you can certainly have root
    (for example) do an operation on your behalf (thus
    the setuid bit) and allow a normal user to seemingly
    perform a privileged operation.

    Another possible alternative is to have user owned
    devices... that is, a disk or partition that belongs
    exclusively to me (nobody else can mount or manipulate
    it). But again, devices in general are not so
    personalized (but it is possible, I'm not talking
    about just the "owner" option).

    To answer your question about allowing a user to
    mount (delegation of privs by the setuid root mount
    program) see the "user", "owner", "group" options (man mount).
    However, mount must maintain the setuid bit to allow
    this (sorry).

+ Reply to Thread