Log in

sudoers & mount - Linux Help Desk [entries|archive|friends|userinfo]

[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

sudoers & mount [Dec. 18th, 2009|09:13 am]


Ok, so I can grant su access to a user/grp for the command /bin/mount and /bin/umount. I'd like to do this, but I don't want to give everyone access to everything in /etc/fstab.

Is there a way to set up a user to have access to mount & umount just for certain predefined mnt points?

[User Picture]From: sapphorlando
2009-12-18 02:59 pm (UTC)
A friend of mine did this years ago, and I believe here's how:

You basically don't want any random access outside the parameters you set. So you don't provide that. You instead use su within a contained instruction set, which users can't access, to very temporarily do it for them.

If you know already what the mount points are, you can include that in the instruction set. If you don't, then you can have a query for that immediately preceding the contained su instruction. At no point do users have random access.
(Reply) (Thread)
[User Picture]From: pkbarbiedoll
2009-12-18 03:12 pm (UTC)
If fstab is root rw, that would control mounting issues right?
(Reply) (Parent) (Thread)
[User Picture]From: sapphorlando
2009-12-18 07:34 pm (UTC)
The mechanics of this are over my head; I only remember him explaining the theory to me. It went something like:

1 - Lock out user interface
2 - Reassign user to su level access
3 - Do thing that users aren't normally allowed to do
4 - Revert user access to normal level
5 - Return user interface control

Or it might have been an uninterruptible closed-loop instruction set, which did not return control until and unless it completed the operation, so that the user never has random access during the brief time they've got su level access.

I have a friend who's knowledgeable about Linux networking in secure systems, whom I'll be seeing tonight. I'll try to remember to ask.
(Reply) (Parent) (Thread)
From: tzirechnoy
2009-12-18 06:25 pm (UTC)
See «user» option to mount (in fstab).
(Reply) (Thread)