Solved Users not allowed to use USB keys?

M

mikethe1wheelnut

Greetings :)

I just came across the following in the handbook, section 18.4.1:

Allowing untrusted users to mount arbitrary media, by enabling vfs.usermount as described below, should not be considered safe from a security point of view. Most file systems were not built to safeguard against malicious devices.
Click to expand...

I'm just really surprised. In any .. "normal" computer lab, you're able to use your usb key to import your files. If this was considered a security risk, surely they wouldn't allow that. So.. is this a special BSD thing?
 
mikethe1wheelnut said:
I'm just really surprised. In any .. "normal" computer lab, you're able to use your usb key to import your files. If this was considered a security risk, surely they wouldn't allow that. So.. is this a special BSD thing?
Click to expand...
"Normal" being subjective here.

It is Normal for a user not to be able to mount a USB stick on any of the 9 laptops I have running FreeBSD. Only root can mount removable media.

While generally not considered "good" practice, good being the subjective term here, I su to become root in the terminal, mount and summon my file manager to work with files as root.

su
mount -v -t msdosfs /dev/da0s1 /media/da0s1
xfe

When I'm done I shut down the file manager, unmount the drive and log out of the root account.
 
Trihexagonal said:
It is Normal for a user not to be able to mount a USB stick on any of the 9 laptops I have running FreeBSD. Only root can mount removable media.
Click to expand...

..so.. I'm a new visitor to your lab. I have all my "text" documents and pdf's and photos, etc, etc, on my usb key.. or even more generally, I have files I want to do something with. All the assignments, essays etc. I'm working on for my various classes.. How do I get them on the computer? Do I have to have them stored in the cloud? What if I specifically don't want that? For example, cloud services can change.. and who knows how private they are.. kind of like the same situation as with bitcoin: never trust a bitcoin exchange to not get hacked.. ..or do I hand you my usb key and you add them to my user directory?

I'm honestly fascinated.. this is a new world for me..

EDIT: This situation would make more sense to me if it was explicitly stated that FreeBSD was -not- and -never was- intended to be used by, for example, students in a university computer lab. That it was instead designed to host web-servers, embedded devices (that would get their information from sensors..), etc. (I've done that much research..)

Edit 2: Further reading in the handbook has reminded me about ssh.. so again, there are many ways of transferring files..
 
I heard about research about "file system vulnerabilities".
For example, specially created filesystem can break some OS security mechanisms.
It is true for the most filesystems and OS'es.
So mounting any filesystem by unprivileged user considered as a security risk.

p.s.
The recent example of file system vulnerability is gracefully presented by Microsoft: where access to "C:\:$i30:$bitmap" may corrupt their filesystem.
 
im said:
I heard about research about "file system vulnerabilities".
For example, specially created filesystem can break some OS security mechanisms.
It is true for the most filesystems and OS'es.
So mounting any filesystem by unprivileged user considered as a security risk.

p.s.
The recent example of file system vulnerability is gracefully presented by Microsoft: where access to "C:\:$i30:$bitmap" may corrupt their filesystem.
Click to expand...

Thank's for your research! I'm not disputing that such vulnerabilities exist, at least in some places/situations. :)

That said, I'm particularly focused on the fact that there seems to be a clear "cultural divide" between users/administrators of university computer labs (where transferring your files from your personal computer and the lab computers is the normal way of doing things), and the world of FreeBSD users/administrators, which I know basically nothing about. My knowledge of BSD dates from the last week or two at most, if you don't count a poster I saw in the computer science club room like 20 years ago..
 
mikethe1wheelnut said:
..so.. I'm a new visitor to your lab. I have all my "text" documents and pdf's and photos, etc, etc, on my usb key.. or even more generally, I have files I want to do something with. All the assignments, essays etc. I'm working on for my various classes.. How do I get them on the computer? Do I have to have them stored in the cloud? What if I specifically don't want that? For example, cloud services can change.. and who knows how private they are.. kind of like the same situation as with bitcoin: never trust a bitcoin exchange to not get hacked.. ..or do I hand you my usb key and you add them to my user directory?
Click to expand...
It matters not what you want. It's what I want and I'm root.

!. You will not have cloud service.
2. You will not have botcoin operations.
3. You will not bring any personal USB stick onto the premisis.
5. No files you submit will be transferred onto one of my machines.
6. You do not have clearance to be admitted to my facility.

Best of luck in your future endeavors.
 
Trihexagonal said:
It matters not what you want. It's what I want and I'm root.

!. You will not have cloud service.
2. You will not have botcoin operations.
3. You will not bring any personal USB stick onto the premisis.
5. No files you submit will be transferred onto one of my machines.
6. You do not have clearance to be admitted to my facility.

Best of luck in your future endeavors.
Click to expand...

..Oh boy.. ..woaw!.. just hold on there a minute! ..I now have this sudden intense conviction that you have a wildly mis-placed idea of who I am and what my motivations are. I'm -not- asking to use your services! I have -no- idea who you are, and no idea what your computers are supposed to be used for! It's looking now like you work for (or more likely own your own) super-secret research facility.. so yes, in that case, -definite- cultural divide.. :-S
 
mikethe1wheelnut said:
In any .. "normal" computer lab, you're able to use your usb key to import your files.
Click to expand...
Any "normal" lab has restrictions. You can't just stick anything in these days. Haven't you heard about things like viruses and malware?

mikethe1wheelnut said:
So.. is this a special BSD thing?
Click to expand...
It's not. It's a UNIX thing. No users are allowed to mount disks. It requires elevated privileges (i.e. root) to do so. To make it more user friendly FreeBSD has a vfs.usermount sysctl an admin can set so users are allowed to mount drives under certain restrictions.
 
mikethe1wheelnut said:
..Oh boy.. ..woaw!.. just hold on there a minute! ..I now have this sudden intense conviction that you have a wildly mis-placed idea of who I am and what my motivations are. I'm -not- asking to use your services!
Click to expand...
Well let's see...

mikethe1wheelnut said:
..so.. I'm a new visitor to your lab. I have all my "text" documents and pdf's and photos, etc, etc, on my usb key.. or even more generally, I have files I want to do something with. All the assignments, essays etc. I'm working on for my various classes.. How do I get them on the computer? Do I have to have them stored in the cloud? What if I specifically don't want that? For example, cloud services can change.. and who knows how private they are.. kind of like the same situation as with bitcoin: never trust a bitcoin exchange to not get hacked.. ..or do I hand you my usb key and you add them to my user directory?
Click to expand...
New "visitor"arrives at Chaos Facility - Parts Unknown.
Warning Sign #1 root command issued - # drcr -1 Defense Readiness Condition Raised One Level

Wants "text" documents, .pdf, .png, jpg, etc. transferred to Chaos Computers.
Warning Sign #2 Possible Blended Threat.

Desired to access WAN from LAN for "cloud services" to download data onto Chaos Computers.
Warning Sign #3 Possible rootkit installation planned.

Attempts to override root Authority and disputes Chaos Policy to achieve own agenda.
Warning Sign #4 Possible enemy agent.

Questions Chaos Privacy Policy and makes suggestions to prevent being "hacked".
Warning Sign #5 Social Engineering Attempt. Conformation of Enemy Agent.

Mentions bitcoin in relation to using Chaos Computers.
Warning Sign #6 Possible bitcoin mining intended.

Wants to supply own USB key to Chaos Admin.
Warning Sign #7 Social Engineering Attempt of root to insert and mount Enemy Agents USB stick.

Release Dobermans.
 
mikethe1wheelnut said:
..so.. I'm a new visitor to your lab. I have all my "text" documents and pdf's and photos, etc, etc, on my usb key.. or even more generally, I have files I want to do something with. All the assignments, essays etc. I'm working on for my various classes.. How do I get them on the computer? Do I have to have them stored in the cloud? What if I specifically don't want that? For example, cloud services can change.. and who knows how private they are.. kind of like the same situation as with bitcoin: never trust a bitcoin exchange to not get hacked.. ..or do I hand you my usb key and you add them to my user directory?

I'm honestly fascinated.. this is a new world for me..

EDIT: This situation would make more sense to me if it was explicitly stated that FreeBSD was -not- and -never was- intended to be used by, for example, students in a university computer lab. That it was instead designed to host web-servers, embedded devices (that would get their information from sensors..), etc. (I've done that much research..)

Edit 2: Further reading in the handbook has reminded me about ssh.. so again, there are many ways of transferring files..
Click to expand...

SirDice said:
Any "normal" lab has restrictions. You can't just stick anything in these days. Haven't you heard about things like viruses and malware?


It's not. It's a UNIX thing. No users are allowed to mount disks. It requires elevated privileges (i.e. root) to do so. To make it more user friendly FreeBSD has a vfs.usermount sysctl an admin can set so users are allowed to mount drives under certain restrictions.
Click to expand...

SirDice has provided you the answer you are after, if this is what you want and need, FreeBSD does not prevent you from allowing regular users to mount usb sticks, however this is considered insecure and not enabled by default.

Personally, this is one of the many reasons that drove me to FreeBSD, I do not want employees to be able to mount USB keys and exfiltrate data. You must go through a dedicated office to do such operations. This makes you sleep much better as an admin/business owner as you can have total control of the data flow in your organization.
 
mikethe1wheelnut said:
Greetings :)

I just came across the following in the handbook, section 18.4.1:



I'm just really surprised. In any .. "normal" computer lab, you're able to use your usb key to import your files. If this was considered a security risk, surely they wouldn't allow that. So.. is this a special BSD thing?
Click to expand...
"In any .. "normal" computer lab, you're able to use your usb key to import your files."
Its false
 
reddy said:
SirDice has provided you the answer you are after, if this is what you want and need, FreeBSD does not prevent you from allowing regular users to mount usb sticks, however this is considered insecure and not enabled by default.

Personally, this is one of the many reasons that drove me to FreeBSD, I do not want employees to be able to mount USB keys and exfiltrate data. You must go through a dedicated office to do such operations. This makes you sleep much better as an admin/business owner as you can have total control of the data flow in your organization.
Click to expand...

Many thank's reddy, you've provided a very nice answer. :)
I can see how from the perspective of a company this would make sense. Clearly, I have no experience of such a work environment.. XD
As for vfs.usermount, yes, I've seen it mentioned in several places, and I'll probably be using it.

As for not responding right away, I sent that last message at like 2 in the morning, then finally called it a day.

As for trihexagonal's response.. I'm just laughing. If only he(she?) could see the situation I was imagining as I described that, the contrast to what they described, I think they would to, it's so stark! ;-) (I was imagining a student in a university computer lab, with the person in charge of the lab at their desk, and the student trying to figure out how to get their english lit essay on the computer so they could continue working on it. -I considered using the term "word-document", which would have been accurate 90% of the time at that time, but I thought that, here, that would probably get mocked, so.. XD)

Apparently I come from a special part of the world where sticking a flash-drive into a lab computer is normal! XD
 
mikethe1wheelnut said:
I considered using the term "word-document", which would have been accurate 90% of the time at that time, but I thought that, here, that would probably get mocked, so.. XD)
Click to expand...
Voiced intent to transfer Word Document onto Chaos Computers
Warning Sign #8 Suspicion of Enemy Agent intent to deploy Word Documents as vehicle for use of Macro and Scripting Vulnerabilities Confirmed

Deadly Force Authorized. Shoot on sight.
 
Well, I entered this thread, and you almost brought me near to a heart attack. I am shipping electrochemical laboratory equipment and the controlling device and data acquisition is done by a PC operated by FreeBSD 12 with the GNOME3 desktop environment. I rely on the functionality of USB removable media plugged-in by end users, because most customers don’t let these systems into their LAN, and without that, the scientists would need to use a ball pen to transcribe megabytes of measurement data from the screen, won’t they?

I tried it once again - and of course it works. A normal user can plugin a USB drive, GNOME does mount it as the user who is logged-in, and we can get hands on our data. So what you’re talking about? Here comes the evidence photo. A USB pendrive named Daten just plugged-in to the Desktop system, when user rolf was logged-in.

Media be mounted only be root? Come on, this is an April fool joke from nerdistan. I do this since the 90th with all my desktop systems, mostly Mac's (some Windows'). Personally, I use FreeBSD not as a desktop but as a server OS, and with that it never made a difference, because I login as root anyway.

GNOM3 mounts USB automatically when plugged-in.png
 
We have a number of shared machines for our students and yes, they (contrary to advice) have their code on usb sticks rather than on the internal SVN/Git servers.

Our FreeBSD solution replaced the Solaris (10) SunRay solution where they had a ratty script (uteject, utmount) to do the job: https://docs.oracle.com/cd/E19846-01/817-6807/817-6807.pdf

We achieve similar using a (different ratty) script that ultimately asks a daemon to do the mounting (so the user doesn't need to be root).

For your personal computer, perhaps just set up sudo with nopasswd: just for the mount script. I personally only allow fat32 or ntfs. I don't really want them mounting NFS or overlay or nullfs and doing weird things like that ;)

Also, from my own experiments, not unmounting the stick and pulling it doesn't seem to be so bad (It used to be terrible in FreeBSD 6.x era). Unfortunately, if there were issues I don't know of a good way to solve this. (We did consider small Raspberry Pi machines to act as the hub intermediary but that is a lot of faff). So again, a smaller subset of filesystems were used to avoid exposing potential issues.
 
obsigna said:
Well, I entered this thread, and you almost brought me near to a heart attack. I am shipping electrochemical laboratory equipment and the controlling device and data acquisition is done by a PC operated by FreeBSD 12 with the GNOME3 desktop environment. I rely on the functionality of USB removable media plugged-in by end users, because most customers don’t let these systems into their LAN, and without that, the scientists would need to use a ball pen to transcribe megabytes of measurement data from the screen, or what?

I tried it once again - and of course it works. A normal user can plugin a USB drive, GNOME does mount it as the user who is logged-in, and we can get hands on our data. So what you’re talking about? Here comes the evidence photo. A USB pendrive named Daten just plugged-in to the Desktop system, when user rolf was logged-in.

Media be mounted only be root? Come on, this is a April's fool joke from nerdistan. I do this since the 90th with all my desktop systems, mostly Mac's (some Windows'). Personally, I use FreeBSD not as a desktop but as a server OS, and with that it never made a difference, because I login as root anyway.

View attachment 9487
Click to expand...
..fascinating.. (I have Xfce installed!) ..who would'a'known? XD yes, yes, somebody would have.. XD ;-)

..as for april fools.. check out the handbook, chapter 18, starting at 18.4 ...and weep.. XD :p
 
..for the record, I finally bit the bullet, or gave up, depending on your preferred choice of words, and attempted the file transfer with a fresh usb. No modifications to said usb, or to the FreeBSD install. After a small amount of semi-random clicking, it worked. It mounted automatically without the terminal involved at all. This in xfce. ..all's well that ends well! :-D (the original usb was formatted with ventoy by windows 10)
 
obsigna said:
Media be mounted only be root? Come on, this is an April fool joke from nerdistan. I do this since the 90th with all my desktop systems, mostly Mac's (some Windows').
Click to expand...
Your desktop environment has a helper application running on the root account that does the actual mounting. Yes, even on Windows you're not allowed to mount disks as a user (it requires elevated privileges), there too processes running in the background will do the actual mounting for you. Same with MacOS.

Many of the "helper" applications provide additional levels of authorization allowing an admin more finely grained permissions instead of an "all or nothing" type setting (which is what vfs.usermount is). For the open desktop type environments this is typically done through PolKit (PolicyKit). On Windows this is done through group policies. I'm sure MacOS has something for it too, I rarely deal with it so I don't know.
 
SirDice said:
Your desktop environment has a helper application running on the root account that does the actual mounting. Yes, even on Windows you're not allowed to mount disks as a user (it requires elevated privileges), there too processes running in the background will do the actual mounting for you. Same with MacOS.
Click to expand...
I knew that it worked. Of course I tested it, before shipping my systems. That there is some smart daemon behind the scenes is also quite obvious. Anyway, that could have been the answer in message #2 of this thread. Instead we read pages of useless clownery of a unix smart aleck (not you).

Then from a security point of view. The user needs to get the hands on his/her data, since after all, this is what data processing machines are for, aren’t it? The system tells him/her to become root before he/she gets access - OK, the user needs the data so he/she becomes root the one or the other way. Now tell me, how can a USB volume be more secured? Mounted as unrestricted root or mounted with restricted user rights on a restricted mount point?
 
obsigna said:
Anyway, that could have been the answer in message #2 of this thread. Instead we read pages of useless clownery of a unix smart aleck (not you).
Click to expand...
No, that would be me.

Please elborate and be as brutally honest and verbose as possible.
 
You must log in or register to reply here.
Back
Top