A security quetion.

According the handbook "18.5.2 Testing the Configuration"

To mount an usb device, I need create a directory in /mnt and set the permission like this:
Code:
# mkdir /mnt/username
# chown username:usergroup /mnt/username
Let us assume the username is fender_01.
So, now as an unprivileged user I can cp a file to "/mnt/fender_01".
The preoblem is if I didn't mount anything to that directory and didn't create a partition for "/mnt "directory, I can easyly fill the "/" directory by cp some large file to "/mnt/fender_01". :(

Let us try.

before cp:
Code:
df -h
Filesystem      Size    Used   Avail Capacity  Mounted on
[color="Red"]/dev/ad12s1a    989M     37M    873M     4%    /[/color]
devfs           1.0K    1.0K      0B   100%    /dev
/dev/ad12s1g    237G     17G    202G     8%    /home
/dev/ad12s1e    3.9G    166K    3.6G     0%    /tmp
/dev/ad12s1f     39G    5.1G     31G    14%    /usr
/dev/ad12s1d    3.9G     58M    3.5G     2%    /var
procfs          4.0K    4.0K      0B   100%    /proc

after cp a movie to "mnt/fender_01":

Code:
du -h Seven_Habits.avi 
507M	Seven_Habits.avi
cp Seven_Habits.avi /mnt/fender_01
df -h
Filesystem      Size    Used   Avail Capacity  Mounted on
[color="Red"]/dev/ad12s1a    989M    544M    366M    60%    /[/color]
devfs           1.0K    1.0K      0B   100%    /dev
/dev/ad12s1g    237G     17G    202G     8%    /home
/dev/ad12s1e    3.9G    166K    3.6G     0%    /tmp
/dev/ad12s1f     39G    5.1G     31G    14%    /usr
/dev/ad12s1d    3.9G     58M    3.5G     2%    /var
procfs          4.0K    4.0K      0B   100%    /proc

So, I think this is a security problem.
 
OK, I'll explain.
You don't allow users to use common mountpoint, especially somewhere in root.
You let them mount media only to directory in their home.

Now you should use separate /home, or set quotas for it.
This way, user can't fill root, but can only fill his own space.

Personally I $ chmod o= /mnt so normal user can't even read it (because I mount backup media there, when I backup system).

Well on this computer I'm the only one using it, but it's good to have habits like this when you work as admin [I think]
 
I have been tried mount them in my home directory, but look this:

Code:
mount_cd9660 /dev/acd0 mnt/
umount mnt/
umount: unmount of /home/fender/mnt failed: Device busy

I can mount them to /tmp/some_dir and umount them, however I can't umount them if I mount them to home/mnt. :(

What is the difference between different mount point?
I run gnome as desktop, so I think if I run freebsd without X and "hal" I can aboid this problem(i can't umount them if i mount them ito /home/mnt).
to make hal ignore "da" and "acd" I set two file according to this http://www.freebsd.org/gnome/docs/halfaq.html#q2
Code:
> pwd
/usr/local/share/hal/fdi/preprobe/20thirdparty
> cat *
<?xml version="1.0" encoding="UTF-8"?>

<deviceinfo version="0.2">
  <device>
    <match key="freebsd.driver" string="da">
      <merge key="info.ignore" type="bool">true</merge>
    </match>
  </device>
</deviceinfo>
<?xml version="1.0" encoding="UTF-8"?>

<deviceinfo version="0.2">
  <device>
    <match key="freebsd.driver" string="acd">
      <merge key="info.ignore" type="bool">true</merge>
    </match>
  </device>
</deviceinfo>
 
I don't use Desktop Environments, so I can't help here much.

But I think under gnome, it mounts media automatically, and you get icon of mounted media. You can right click on it and in menu you'll see unmount.
I think you need to use that to unmount media under gnome [That is if it's automatically mounted]

Fact that media is auto mounted could also explain Device busy error, when you try to mount manually.

It doesn't matter where you mount media, behavior is always the same, but as you pointed in your 1st post, not everywhere you mount media can be safe ;) better mount it in your home
 
Let me summarize:
1. I think the following instruction in handbook "18.5.2 Testing the Configuration" is not perfect.
Code:
# mkdir /mnt/username
# chown username:usergroup /mnt/username
Because if mkdir in "/mnt" for a normal user and give them permission, the normal user can fill "/".

2. I created a "mnt" in my home and want mount cdrom and usb device to my home's mnt to avoid this problem, but I got another problem(can mount but can't umount).

I have been try mount cdrom and usb to /tmp/some_dir, and everything is ok.

So there are some difference betteen different mount poits. This may be caused by "hal". :(

But I think there are no any difference betten two mount points.
 
check permission and group of ~/mnt
check that user that tries to mount media to ~/mnt belongs to group mentioned in /etc/devfs.rules
check that device actually has the right group, and that this group has w/r permission to it
 
you can log out of gnome,
press ctrl+alt+f1, login in console, insert cd/flash and then try to mount media.
This way, gnome & hal should stay in your way.... :)
 
I dunno about you, but I always make separate /tmp

and when I was using UFS, I did crazy things with GPT partitions ;)


now I use zfs and I still create separate tmp ;)
 
killasmurf86 said:
I dunno about you, but I always make separate /tmp

and when I was using UFS, I did crazy things with GPT partitions ;)


now I use zfs and I still create separate tmp ;)

I see your point, and with zfs it's really practical to have lots of partitions. Personally I'm not ready to go for zfs all the way (I run my machines on 7.2/i386 for now).

OTOH I regularly use root partitions of 4Gb these days, mainly because I do frequent snapshots and keep them for a few weeks, but it also gives me some headroom should I do something stupid that would normally fill my root.
 
Back
Top