I am writing some tools that operate on files stored inside a disk image file under a users control. FUSE tools like fuse2fs are used to access file systems inside of partitions of those image files.
However, mounting those filesystems, and even accessing parts of it still require superuser privileges (and a lot of kernel work), as FUSE will still register the filesystem in kernel space, provide an /etc/mtab entry and VFS mount of course.
FUSE allows some configuration to allow a non-privileged user to mount such FS, but fuse2fs still enforces user rights.
So I wonder if something can be done to stop for example fuse2fs exporting the fs to kernel space at all, and just access files in userspace. Like a wrapper, used like this:
fusewrapper --fuse-cmd="fuse2fs foo.img /bar" ls /bar/ # lists "/" of foo.img's ext4 FS
fusewrapper --user=root --group=root --fuse-cmd="fuse2fs foo.img /bar" cat /bar/baz # prints "/baz" contents from foo.img's ext4 fs as root.
where /bar is a virtual mount path only valid inside of the fusewrapper universe and ls / cat internal fusewrapper command to list or cat the named path.
This tool would only use the kernel for access to foo.img and stdin / out, and can still impersonate any user (eg. root).
How could such a tool work? What is needed to get rid of FUSEs non-userspace parts (eg. kernel interface) ?
Related
I wrote a little program, where i mounted an encrypted volume after the user inserts the password with veracrypt an showed the content to the user in a specific way inside my programm. Everything works fine, but i want to prevent that the volume is shown in Nautilus.
The following command mounts the volume:
"veracrypt -m ro /path/to/file/file -p" + pw
Veracrypt help command shows:
--fs-options=OPTIONS
Filesystem mount options. The OPTIONS argument is passed to mount(8)
command with option -o when a filesystem on a VeraCrypt volume is mounted.
This option is not available on some platforms.
But i'm not able to find a mount option for linux-mount command, which will do the job. Is there any? What can i do?
A simple workaround may be to mount the volume to a directory that begins with a .. These directories should not be visible in most file managers without specifying they should show hidden files/folders.
Of course, obscuring the folder isn't perfect and is no substitute for setting proper access control specifies via chmod.
How can mount a partition in an already existent folder of my linux tree? What happens with the already created file and can I move these to the new disk in the process?
I am using a Ubuntu 16.04 with an SSD and HD disk, I would like to mount the ~/Documents or $HOME in the HD moving the files already created and free the SSD to the main files of the operation system (in this moment all the files are in the SSD and the HD is only formatted as Ext4).
The moment you mount the new parition on top off ~/Documents you cant access the Files anymore, but there are some Options:
Mount the HD somewhere else first and move the files. (code is just an example, it is not supposed to be executable as is)
mount /dev/disks/by-lable/foo /media/temporary
mv /home/hildogjr/Documents/* /media/temporary
umount /media/temporary
mount /dev/disks/by-lable/foo /home/hildogjr/Documents
Use a bindmount, to still be able to access the files after mounting:
mount --bind /home/hildogjr/Documents /media/Documents_on_ssd
mount /dev/disks/by-lable/foo /home/hildogjr/Documents
mv /media/Douments_on_ssd/* /home/hildogjr/Documents
umount /media/Documents_on_ssd
Use a unionfs, and move the files over Time. man unionfs:
It first tries to access the file on the top branch and if the file
does not exist there, it continues on lower level branches. If the
user tries to modify a file on a lower level read-only branch the file
is copied to to a higher level read-write branch if the copy-on-write
(cow) mode was enabled.
Is it possible on Linux or MacOSX to prevent a Unix domain socket file (e.g. in /tmp) that is currently bound from being deleted? I want a mode 0777 socket that users can connect to but that users cannot delete while the daemon is running.
Right now a normal user can 'rm' the socket, preventing anyone else from accessing it until the daemon is restarted. Seems like it should be 'busy' if it's bound.
You could make a new subdirectory and set read only permissions on the directory after you make the socket:
mkdir /tmp/blah
cd /tmp/blah
# do stuff to create /tmp/blah/socket
chmod 555 /tmp/blah
rm /tmp/blah/socket
rm: cannot remove /tmp/blah/socket: Permission denied
(or the equivalent to that from C / your language of choice)
It depends entirely on the directory that contains the socket. /tmp is somewhat special in that it has the "sticky bit" set on the directory (if you execute ls -ld /tmp you will see the permissions field is usually: drwxrwxrwt or, more usefully, mode 1777. That sticky bit (the t at the end) is important when set on a directory. Quoting man chmod:
The restricted deletion flag or sticky bit is a single bit, whose interpretation depends on the file type. For directories, it prevents
unprivileged users from removing or renaming a file in the directory unless they own the file or the directory; this is called the re‐
stricted deletion flag for the directory, and is commonly found on world-writable directories like /tmp. For regular files on some older
systems, the bit saves the program's text image on the swap device so it will load more quickly when run; this is called the sticky bit.
This is exactly what you want - file-system level protection against a user removing the file. It is also 100% portable to all modern UNIX-like environments.
So, if you are creating your endpoint in /tmp you already have the protections you want. If you want to create the endpoint elsewhere, for example /opt/sockets, simply chmod 1777 /opt/sockets. The last part of the "trick" to getting the protections you want is to ensure that the root user is the actual owner of the endpoint. If the endpoint is owned by user fred then fred will always be able to delete the endpoint, which may well be a desirable thing. But if not, simply chown root:root /path/to/endpoint.
I am trying to do a soft link from one directory to another, the directory I am trying to access I have read and execute. However, its parent directory I do NOT have execute permissions.
Is there a way to do a soft link, to my desired directory without giving me execute permission to the parent directory?
Below is the code I used:
ln -s /home/dir1/dir2/desired_directory symbolic_link_name
the link just comes up as red with grey background.
Thank you.
Although this is not possible with symlinks, you could do it with mount --bind. Note that if the whole point is to circumvent security, then this is probably a very bad idea.
Your command would be
mount --bind /home/dir1/dir2/desired_directory mount_dir
There are a few issues to be aware of:
The target directory mount_dir must exist before (same as any mount point)
Root access is required to execute the mount commmand
The created "link" will not persist after a reboot unless a corresponding line is added to /etc/fstab
If the origin directory contains mounted file systems, these will not be transferred to the target. The mount points will appear as empty directories.
Using mount --bind may be considered bad practice because most programs are not aware that the "link" is not a standard directory. For instance it allows the creation of loops in the directory tree which make any tree parsing application (think "ls -R") enter a possibly infinite loop.
It may be hazardous when combined with recursive delete operations. See for instance Yet another warning about mount --bind and rm -rf.
Symbolic links are not a way to circumvent permissions set on their targets. No, there is no way to do what you want. If it was possible it would be a serious security issue.
I have a statically linked code(not a module) in kernel that should launch kernel thread after root file system is mounted. The problem is I don't know how to do this without modifying prepare_namespace() kernel function. I thought it's possible to do via initcalls but
they're executed before kernel takes care about rootfs.
Does anyone know the best way to do this?
UPDATE [1]: #BenVoigit suggested the following solution in comments:
Seems like you should open /proc/mounts and poll_wait on it. See the source for `mounts_poll'
UPDATE [2]: I looked at RSBAC patches, RSBAC modifies prepare_namespace() function to make some actions after filesystem is mounted. It seems to be the easiest way.
Well, current Linux images are too big to fit the PC boot sector. Modern bootloaders like grub will mount an small filesystem in RAM before the real one.
To understand what is happening under the hood, you can open the disk image located under /boot. For example, in Ubuntu:
mkdir test
cd test
zcat /boot/initrd.img-2.6.35-24-generic > image.cpio
cpio -i < image.cpio
vim init
In the end, it's just a bunch of shell scripts - the simplicity is almost poetic.