Disabling automount and hard drive mount for standard users.

Discussion in 'all things UNIX' started by deBoetie, Jun 11, 2014.

Thread Status:
Not open for further replies.
  1. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,147
    Location:
    UK
    Has anyone had success in disabling drive automount and disallowing a standard user from performing mnt actions?

    I'm dual-booting and also booting off usb drives, and am unhappy (from a security perspective) that a standard user account automatically gets access to the Windows nfts partition for example. It seems to me that that is a substantial vulnerability because user-mode malware could write nasties (including rootkits) to the Windows partition.

    While I can prevent the automount, it does not stop a standard user from then doing a mnt on any partition it can see without any further privileges. I've also tried editing the fstab in Ubuntu 12.04 but that didn't work.

    Any tips on what might be effective greatly welcomed, preferably for an Ubuntu-based distro .
     
  2. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    This is unfortunately a bit involved thanks to udisks/polkit, and the method for doing it changes about every 6 months. Last I checked it involves putting snippets of Javascript in deeply nested folders in /etc. (I wish I were kidding.)

    My advice would be to put the Windows partition in fstab, and make sure it is mounted read-only and only readable by root. With the partition already mounted, udisks will not be able to remount it, let alone with read-write permissions for everyone.

    Also

    <rant mode>
    I really don't know what the Freedesktop crowd is thinking, coming up with stuff like this. A wholly separate set of permissions? Javascript and XML parsers required for mounting devices? Special daemons needed to check that a user is not SSHed in, just to prevent accidental shutdowns that would never even happen on a properly configured machine? Blargh. This is Rube Goldberg crap.
    </rant mode>

    Edit: on the other hand I feel I should also point out that, if a malicious party has a remote shell and can execute the arbitrary commands needed to mess with the Windows filesystem, you have much much bigger problems.
     
  3. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    User-mode malware could write ... to the Windows partition ...

    Really ... interesting. Now let's drop sci-fi and focus on real life.

    And it's simple, don't get infected in the first place, and then you won't need to worry about what if.

    What if malware sends goatse pics to your grandmother. Disable mail/sendmail too?
    What if it plays Benny Hill, disable audio and speakers?

    Mrk
     
  4. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,147
    Location:
    UK
    Thanks for the steer, agree with the frustrations....

    I would agree with the sci-fi comment EXCEPT that it seems to me that the industrialisation of malware plus state actors make people running Pendrive/LiveCD/dual boot Linux distros a prime target. And if I were seeking to subvert that, I would welcome the opportunity not to need privilege escalation, and I could easily transmit the call-home results out by proxy by installing the malware in the Windows OS as a rootkit, and have that run the next time the person runs their "normal" Windows session. It wouldn't matter that the Linux retained its integrity or that it was read-only or that the malware disappeared on logout. It think the scenario of a Linux pendrive or dual boot plus Windows would be common, and it's not easy to disable the hard drive.

    Not getting infected in the first place is clearly better, but if you have the privilege escalation bar, that makes it substantially harder. Writing to disk is easy for any process, sending mail and controlling internet access can be rather more protected.

    Rather more generally, it doesn't seem such an outrageous thing from a business pov that a Linux standard user shouldn't be allowed to arbitrarily mount drives because that's a very well known information leakage mechanism. But it's very much not easy to achieve.
     
  5. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,094
    Hi deBoetie,

    From a Unix/Linux perspective, if you make sure that the adm group does not contain the standard user account name, then root access to the mount/umount commands will be denied to the standard user account. You can further deny the standard user account by excluding it from the sudo group as well.

    -- Tom
     
  6. tlu

    tlu Guest

    I haven't checked if it works ... but this polkit rule might do what you want. Any user who does not belong to the storage group should not be able to mount a filesystem.
     
  7. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,147
    Location:
    UK
    Thanks so much - I'll give these a go.
     
Loading...
Thread Status:
Not open for further replies.