Mailinglist Archive: opensuse-factory (757 mails)

< Previous Next >
Re: [opensuse-factory] sudo and makeSUSEdvd [Was: makeSUSEdvd error]
  • From: Volker Kuhlmann <hidden@xxxxxxxxxxxxxxx>
  • Date: Sat, 13 May 2006 14:18:33 +1200
  • Message-id: <20060513021833.GA31128@xxxxxxxxxxxxxxx>
> I think it is wrong to run a script that does no system changed to run as
> root. I don't understand why `mount -o loop` can not be done as user.
> That would be the more correct question. I can download an iso, burn it
> and read the content as user. I can not download the iso and mount the
> iso.

While I personally think running such a script as this should be done as
user, I wouldn't get stuck at sudo. I also see that it is not possible
to run this script as user, because it needs to mount ISO images. Using
other programs to copy out the files from the ISO image is a bad idea
IMHO. Personally I thnk having a script which turns the 5 CDs
(plus/minus any other packages) into a functional SUSE DVD is well worth
having, and thanks for all the work on it. Whether the script can be run
as !root is something I don't care about right now. A functional script
is much more valuable.

I would suggest you do either/some of these:

1) Insert information into --help which states what lines to put into
sudo's config to make it work with sudo, and what the implications are.

2) Mention in --help that the script must be run as root to be able to
copy out the contents from ISO images.

3) Suggest a line in --help to be put into /etc/fstab, which allows any
user to mount any ISO image from a defined public place at a predefined
mount point. MAKE SURE(!) that dev,suid are on and auto is off on the
mount options. You might find other options useful too.

> Also now it is proven that I can copy the content of the iso to anywhere,
> it is strange that loop demands this. I believe it is not so much sudoers
> that must be changed, it is loop that must be changed.

You don't understand the loop mechanism. In *ix, mounting a filesystem
is a priviledged operation, and with darn good reason. The mounting of
your removable media is done by root, and controlled with suitable mount
options as I outlined above. This prevents users from burning a SUID
root shell to a CD and inserting into into a Linux box for a quick root.
Under specific conditions, mount is permitted by non-root. The
conditions are: user, users, or group are specified (and their condition
match), the device is specified, and the mount point is specified. You
can not relax on the last two conditions, as doing so would allow $USER
to mount their USB gimmick on /bin and sitting back to watch the
entertainment.

All that loop does is turning a file into a block device, because that's
the only thing you can mount. The mount command calls losetup in the
background for you, after having found itself a free loop device
(/dev/loop*).

Volker

--
Volker Kuhlmann is list0570 with the domain in header
http://volker.dnsalias.net/ Please do not CC list postings to me.

< Previous Next >
List Navigation
Follow Ups