Disabling automount and hard drive mount for standard users.

Has anyone had success in disabling drive automount and disallowing a standard user from performing mnt actions?

I'm dual-booting and also booting off usb drives, and am unhappy (from a security perspective) that a standard user account automatically gets access to the Windows nfts partition for example. It seems to me that that is a substantial vulnerability because user-mode malware could write nasties (including rootkits) to the Windows partition.

While I can prevent the automount, it does not stop a standard user from then doing a mnt on any partition it can see without any further privileges. I've also tried editing the fstab in Ubuntu 12.04 but that didn't work.

Any tips on what might be effective greatly welcomed, preferably for an Ubuntu-based distro .

 

This is unfortunately a bit involved thanks to udisks/polkit, and the method for doing it changes about every 6 months. Last I checked it involves putting snippets of Javascript in deeply nested folders in /etc. (I wish I were kidding.)

My advice would be to put the Windows partition in fstab, and make sure it is mounted read-only and only readable by root. With the partition already mounted, udisks will not be able to remount it, let alone with read-write permissions for everyone.

Also

<rant mode>
I really don't know what the Freedesktop crowd is thinking, coming up with stuff like this. A wholly separate set of permissions? Javascript and XML parsers required for mounting devices? Special daemons needed to check that a user is not SSHed in, just to prevent accidental shutdowns that would never even happen on a properly configured machine? Blargh. This is Rube Goldberg crap.
</rant mode>

Edit: on the other hand I feel I should also point out that, if a malicious party has a remote shell and can execute the arbitrary commands needed to mess with the Windows filesystem, you have much much bigger problems.

 

User-mode malware could write ... to the Windows partition ...

Really ... interesting. Now let's drop sci-fi and focus on real life.

And it's simple, don't get infected in the first place, and then you won't need to worry about what if.

What if malware sends goatse pics to your grandmother. Disable mail/sendmail too?
What if it plays Benny Hill, disable audio and speakers?

Mrk

 

Thanks for the steer, agree with the frustrations....

I would agree with the sci-fi comment EXCEPT that it seems to me that the industrialisation of malware plus state actors make people running Pendrive/LiveCD/dual boot Linux distros a prime target. And if I were seeking to subvert that, I would welcome the opportunity not to need privilege escalation, and I could easily transmit the call-home results out by proxy by installing the malware in the Windows OS as a rootkit, and have that run the next time the person runs their "normal" Windows session. It wouldn't matter that the Linux retained its integrity or that it was read-only or that the malware disappeared on logout. It think the scenario of a Linux pendrive or dual boot plus Windows would be common, and it's not easy to disable the hard drive.

Not getting infected in the first place is clearly better, but if you have the privilege escalation bar, that makes it substantially harder. Writing to disk is easy for any process, sending mail and controlling internet access can be rather more protected.

Rather more generally, it doesn't seem such an outrageous thing from a business pov that a Linux standard user shouldn't be allowed to arbitrarily mount drives because that's a very well known information leakage mechanism. But it's very much not easy to achieve.

 

Hi deBoetie,

From a Unix/Linux perspective, if you make sure that the adm group does not contain the standard user account name, then root access to the mount/umount commands will be denied to the standard user account. You can further deny the standard user account by excluding it from the sudo group as well.

-- Tom

 

I haven't checked if it works ... but this polkit rule might do what you want. Any user who does not belong to the storage group should not be able to mount a filesystem.

 

Thanks so much - I'll give these a go.