announcing mtab hint

Richard Lightman richard at nezumi.plus.com
Thu Aug 1 07:44:48 PDT 2002


* Oliver Brakmann <obrakmann at gmx.net> [2002-08-01 14:07]:
> Richard Lightman wrote...
> > 
> >         - there was some talk about a wrong root device listed in /etc/mtab,
> >           though I never noticed that. Maybe someone would like to shed
> >           some light on this for me.
> > 
> > Possibly from me - I used to use pivot_root to change the root
> > device to an LVM volume. I now use a different method, but IIRC
> > /proc/mounts will contain something useful after pivot_root,
> > but an mtab maintained by mount/umount will need fixing.
> 
> Thanks again. Seth already let me in on this, too. He said
> this appeared only with certain Kernel versions.
> I've only really used 2.4.16 and above extensively, and I
> never saw that happen. Do you still know which kernel version
> you were running then?
> 
Probably most of the 2.4 series, but I skipped a few versions. Reiserfs
got some new problems when it was first made part of the standard
kernel, so I missed a few versions there. Also the new VM came in
at version 2.4.9 IIRC, and I skipped a several versions until
VM and reiserfs worked together.

I have been using devfs, loop back encrypted filesystems, pivot_root,
and the mtab -> /proc/mounts symlink for a long time - well before
that symlink became part of standard LFS (or kernel 2.4.0). I have
not noticed many of the problems other people had with to mtab entry
for the root device, so I assumed my unusual setup was to blame.

> > After applying your hint, only the user who mounted the floppy (and
> > root) can umount it. This is good, but I would like to go a bit
> > further: I want to restrict the use of the floppy disk to the
> > person logged in on the root console, (or root).
> 
> The solution sounds so simple that it makes me think I misunderstand you:
> just don't specify the user option. Then only root can mount and
> umount the floppy.
> 
I should have explained more clearly. Imagine three users logged into
a computer called 'ant'. Anne is typing on a keyboard, and looking
at a monitor plugged directly into 'ant'. Bert is typing on a computer
called 'bug', and logged into 'ant' via ssh. Don is using a dumb
terminal plugged into a serial port on 'ant'. None of these people
are logged in as root. Anne is on the root terminal - this is the
only one on which ctrl-alt-del and alt-sysreq-{h,b,e,k,k,l,m,p,r,s,t,u}
would have their special meanings if I had not done something about
it.

I have a program called 'conlogin' (http://www.nezumi.plus.com/) that
changes changes the ownership of various devices depending on what
terminal it was run on. It could be configured so that Anne could
burn CD's without being root, or using a suid program. If the speakers
are nearer the dumb terminal than the root console, 'conlogin' can
give Don the sound card, so Anne and Bert cannot change what he is
doing with it. Normally, ownership of a virtual console is changed
when you log in. If you want to use 6 virtual consoles, you must type
your name and password six times. 'conlogin' gave Anne ownership of
all the virtual consoles when she logged in. She can start a shell,
or some other program on any of them, without typing her password
again.

I have not found any way to do something similar for the floppy.
The ownership and permission of the mount point do not matter.
Also, mount takes no notice of the owner of the device. The
files on the floppy have owner ID numbers that may have been relevant
when the floppy was made, but are meaningless when the floppy is
used on a different machine.

Sensible (paranoid?) users would use something like:

tar -cC ~ floppy | bzip2 -c9 | gpg -e --default-recipient-self >/dev/floppy/0
and
gpg -d /dev/floppy/0 | bzip2 -cd | tar -xC ~

I am looking for something that works with a filesystem. Some
filesystems have a uid=? option which is close, but not close
enough.


Richard
-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-support' in the subject header of the message



More information about the blfs-support mailing list