|sudoers & mount
||[Dec. 18th, 2009|09:13 am]
Ok, so I can grant su access to a user/grp for the command /bin/mount and /bin/umount. I'd like to do this, but I don't want to give everyone access to everything in /etc/fstab. |
Is there a way to set up a user to have access to mount & umount just for certain predefined mnt points?
A friend of mine did this years ago, and I believe here's how:
You basically don't want any random access outside the parameters you set. So you don't provide that. You instead use su within a contained instruction set, which users can't access, to very temporarily do it for them.
If you know already what the mount points are, you can include that in the instruction set. If you don't, then you can have a query for that immediately preceding the contained su instruction. At no point do users have random access.
If fstab is root rw, that would control mounting issues right?
The mechanics of this are over my head; I only remember him explaining the theory to me. It went something like:
1 - Lock out user interface
2 - Reassign user to su level access
3 - Do thing that users aren't normally allowed to do
4 - Revert user access to normal level
5 - Return user interface control
Or it might have been an uninterruptible closed-loop instruction set, which did not return control until and unless it completed the operation, so that the user never has random access during the brief time they've got su level access.
I have a friend who's knowledgeable about Linux networking in secure systems, whom I'll be seeing tonight. I'll try to remember to ask.
See «user» option to mount (in fstab).