[Bug 293429] New: ntfs-3g default mount options
https://bugzilla.novell.com/show_bug.cgi?id=293429 Summary: ntfs-3g default mount options Product: openSUSE 10.3 Version: Alpha 6 Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: peter.kerekfy@winsdom.com QAContact: qa@suse.de Found By: --- I suggest to add 'fmask=111' mount option to ntfs-3g filesystems because it makes all files non-executeable which look much better than executeable files. Especially because the noexec parameter is already default. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=293429
Matej Horvath
https://bugzilla.novell.com/show_bug.cgi?id=293429#c1
--- Comment #1 from Péter Kerékfy
https://bugzilla.novell.com/show_bug.cgi?id=293429#c2
Stephan Kulow
https://bugzilla.novell.com/show_bug.cgi?id=293429#c3
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=293429#c4
Christoph Thiel
https://bugzilla.novell.com/show_bug.cgi?id=293429#c5
--- Comment #5 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=293429#c6
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=293429#c8
Bernhard Kaindl
/sbin/mount.ntfs-3g does not need to be setuid root, it is called root:root as helper already.
That is not true when mount is called from a non-root, despite /bin/mount being suid-root. Try this: echo 'main() {printf("uid: %d, euid: %d\n", getuid(), geteuid());}' >uidprint.c gcc uidprint.c -o /sbin/mount.foobar echo 'foormbar /foobar foobar user' >>/etc/fstab su nobody -c 'mount /foobar' output is: uid: 65534, euid: 65534 So it seems that privileges are dropped by mount before calling the mount helpers which only a few filesystems need, e.g. I only have these installed: # ls -1 /sbin/mount.* /sbin/mount.cifs /sbin/mount.fuse /sbin/mount.ncp /sbin/mount.ncpfs /sbin/mount.nfs /sbin/mount.nfs4 /sbin/mount.ntfs-3g The errors which one gets when "user" is specified in fstab for an ntfs-3g fstype are: Error opening partition device: Permission denied Failed to startup volume: Permission denied Failed to mount '/dev/sdc1': Permission denied In the words of Szaka (Szabolcs Szakacsits, member of the ntfs-progs team - he wrote ntfsresize - and author of ntfs-3g), the issue is simple:
FUSE mounting block devices is privileged, suid-root is needed. The privilege is dropped after successful mount, so it's much safer than any file system kernel driver. Security related things could be improved still a lot but quite many things too which are far more important.
I agree with him. One could try to get cooperation from the util-linux maintainers to change /bin/mount to pass the opened file descriptor of the block device to the mount helper, but that isn't a priority for Szaka. If that is important to us, we could see if we could get it done but it would also take some work to get it done and upstream. As the privileges are dropped after successful mount, I do not see many possibilities to attack ntfs-3g. At mount time, ntfs-3g is controlled through a limited set of mount options After mount, the main issue is to use selective file permissions, but Thomas Fehr changed Yast2 to use the proposed fmask and dmask for Beta 2 now. ----------------------------------------------------------------------------- Using Hal with ntfs-config The only other way which I see to give users write access to NTFS partitions is to use hal, but to do this cleanly, hal and KDE would need some changes and it would require some more time to implement and test before would have a clean hal solution which then also supports automatic mounting of ntfs disks. There is a GUI tool, called ntfs-config recommended by Skaka (used by debian and ubuntu so far) which: * has support for instantly mounting of NTFS partitions at program startup: - asks for the mount point for newly connected NTFS volumes on program startup * supports to switch any mounted NTFS volume from read-only to read-write:4 - it does this by switching between ntfs-3g and kernel ntfs * has a wrapper which supports GNOME and KDE's "su" tools to do the mounting and unmounting * writes fstab entries for all NTFS volumes disks which it has seen so far (it adds new disks which are not in /etc/fstab yet on program startup) * shows a check box for using the "force" option when mounting with ntfs-3g fails due to scheduled check and I tested it all to work. * Has translations for many languages But we do not have it as package yet, so we'd have make an exception to the "no new packages" policy which is in force now to use it. ntfs-config is not perfect, e.g. it uses device paths (e.g. /dev/sdc1, which changes randonly when you have multible USB/FireWire disks) instead of the fs UUID, but that could be fixed if we have enough time: BUG: ntfs-config reads, but doesn't write UUID fstab entries yet: https://bugs.launchpad.net/ubuntu/+source/ntfs-config/+bug/121062 To give you an impression of the state of where ntfs-config, I show you the an changelog entry from ntfs-config ( Source: https://bugs.launchpad.net/ntfs-config/+bug/105015 ):
RC4 should close that bug :
* New : device mounted on multiple mount point should now be handle correctly * New : Propose actions when mounting/unmounting fail : - Propose the lazy option when device is busy - Propose to remove bad option or revert them to default when an unknow option was detected - Propose to use default FSTYPE driver when type wasn't found - Propose to use the force option when NTFS is unclean with ntfs-3g * Translation : A bunch of new translations thanks to a bunch of cool guys
============================================================================== While this item is not in the scope of this bug (mounting ntfs) it's a bit related as it's about unmounting with ntfs-3g: ------------------------------------------------------------------------------ Safe volume removal For good handling of external NTFS disks, we should also implement Save disk removal (unmounting thru an icon in the panel) because unlike USB sticks using VFAT, NTFS disk connected thru USB or Firewire should rather be cleanly unmounted before disconnecting them because the filesystem could be left in an unclean state. During testing what happens on unplug/hotplug in different situations (e.g. with open files), I caused my external USB disk to enter the "filesystem check scheduled" state in which ntfs-3g refuses to mount the filesystem unless it's called with the "force" option. I could not test this yet (no Windows install to test it using dual-boot, booting into Linux when Windows is hibernated), but the force option may possibly also force a mount if the NTFS $Logfile indicates that the filesystem is currently in use, e.g. when Windows was put into standby or hibernation. Such volume should better not be written to in any way as that may cause quite bad things to happen when Windows resumes and assumes that the disk has not changed while it was sleeping. Without a windows machine, I'd have to ask Szaka or check the source code to find out what force does then. ------------------------------------------------------------------------------ -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=293429#c9
Bernhard Kaindl
https://bugzilla.novell.com/show_bug.cgi?id=293429#c10
--- Comment #10 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=293429#c11
Stephan Kulow
https://bugzilla.novell.com/show_bug.cgi?id=293429#c12
Bernhard Kaindl
/sbin/mount.ntfs-3g does not need to be setuid root, it is called root:root as helper already.
is not true. The team's suggestion was based on this, so it does not work. I now also checked the source, it unconditionally does setuid(getuid()); setgid(getgid()); to restore drop the euid+egid and restore normal user uid/gid before calling the mount helper. I have looked at the ntfs-3g code and as Szaka said, it drops privileges after the mount itself completed. Before the euid is dropped, the command line options are parsed and the fuse mount library is called. That library is used by fusermount for the same purpose and and already using suid root: $ grep fuse /etc/permissions* /etc/permissions.easy:/usr/bin/fusermount root:trusted 4755 /etc/permissions.secure:/usr/bin/fusermount root:trusted 4750 /etc/permissions.paranoid:/usr/bin/fusermount root:trusted 0755 So the only code which is not yet used suid root is the command line option parsing in ntfs-3g, which is fairly simple and should be easy to audit. I have not seen any flaw in it so far, but I do not have the responsibility to judge it. ---------------------------------------------------------------------------------- My personal opinion is that as it's currently used, the user approach lacks support for hotplugging, so I think that to do it properly we'd have to use hal. I thought that, ntfs-config, the program which I hoped could make it all "just work" seems to be quite broken in several ways and does not do at all what I hoped: I thought that it would be integrated with hal, but the only thing which it does with hal is that it installs an fdi file in /etc/hal/fdi/policy which changes the fstype of hotpluggable ntfs partitions to ntfs-3g and allows the hal mount users to use the ntfs-3g locale mount option, but that's all. Besides that, it fully depends on root rights, does not mount thru hal but directly with mount and creates fstab entries for the USB and firewire disks which it sees, which locks out users of hal in two ways: * Since the filessystems are not mounted by hal, they cannot be unmounted thru hal * Since they are listed in /etc/fstab, they cannot be mounted thru hal Further observations: * It uses the non-persistent /dev/sd[a-z][number] instead /dev/disk-by-id/{id}, so if you ever connect a different USB or FireWire disk than the one it put into /dev/fstab, things break disks are not identified in any way. * In the medium-size, very diverse test setup with two identical USB disk drives (which which can be only identified by their differing disk-by-id and their different partitions), one FireWire disk and two more USB disks, it seems to add all partitions to /etc/fstab, but mounts only 2 of them and while I shows even 4 partitions in the second run, it still does nothing when (un)checking the read-write checkboxes for the other two partitions. * It already takes a quite few seconds to probe all disks (before showing anything to the user) which I connected in this setup. While changing ntfs-config to use hal might be something good to do, as that should solve the issues, I have difficulty to think that it could reach the 10.3 gold master. So if we want to allow the user to mount NTFS partitions read-write without requiring him to use the shell to mount it as root by hand, we have to give ntfs-3g root privileges. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=293429#c13
Stephan Kulow
https://bugzilla.novell.com/show_bug.cgi?id=293429#c15
Stephan Kulow
https://bugzilla.novell.com/show_bug.cgi?id=293429#c16
Rastislav Krupanský
https://bugzilla.novell.com/show_bug.cgi?id=293429#c18
Ben Kevan
https://bugzilla.novell.com/show_bug.cgi?id=293429#c19
--- Comment #19 from Ben Kevan
https://bugzilla.novell.com/show_bug.cgi?id=293429#c20
--- Comment #20 from Rastislav Krupanský
https://bugzilla.novell.com/show_bug.cgi?id=293429
Alberto Passalacqua
https://bugzilla.novell.com/show_bug.cgi?id=293429#c21
--- Comment #21 from Alberto Passalacqua
https://bugzilla.novell.com/show_bug.cgi?id=293429
User carlos.bessa@gmail.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=293429#c22
Carlos Bessa
https://bugzilla.novell.com/show_bug.cgi?id=293429
User lnussel@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=293429#c24
--- Comment #24 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=293429
Thomas Biege
participants (1)
-
bugzilla_noreply@novell.com