[ale] user using mount

Michael B. Trausch fd0man at gmail.com
Sun May 28 19:53:50 EDT 2006


On Sun, May 28 2006 12:51, David Corbin wrote:
>
> OK.  I understand the whitelist vs. blacklist argument.  Howver, I
> *think* it should be secure to mount a remote file system anywhere I have
> write permission.  I'd even settle for having to have "rwx" permission. 
> Or even some other special permission.  Or only if I own the mount point.
>
> It just seems that if I have access to the remote system, I should be
> able to mount in 'my area'.  Now, I happen to be root for all my systems,
> so it's just inconvenience right now.
>

Possibly for local things -- but that's what HAL and DBUS do, IIRC.  e.g., I 
plug in my USB hard drive, and it just works.  KDE applications also have 
an interesting abstraction for networked filesystems over various 
protocols, such as SSH, though it doesn't work with other types (non KDE) 
programs.  For simple file access, it is just fine, though, because you can 
copy to the local FS and use the file and then move it back, if you are 
going to use a non-KDE application on it.

Everything else, though, you can set up "transparent" access for other 
things by simply configuring sudo to use the mount command w/o a password, 
and use your .bash_profile and .bash_logout, .kde/Autostart, or whatever 
mechanism you use to start things when you login to the system, and mount 
the FS and then unmount it when you logout.  It's insecure -- but so is 
letting any user mount any arbitrary item in the system.  I would have to 
think about the situation you proposed more, regarding the way that it 
would be done, but I think that would still likely not be a feasible 
option.

Even if it were secure from a programming standpoint and everything, it 
would certainly violate business rules in places where Linux would be 
used... Businesses even lock out functionality on Windows that permits the 
system users from doing such things by taking advantage of the standard 
user level accounts, instead of letting them run as Admin, if the network 
administrator is smart enough to think about that.

	 - Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available




More information about the Ale mailing list