| View unanswered posts View active topics | It is currently Sun Apr 12, 2020 02:23
|
Cannot mount as non-root in Debian/SidModerators: d242, szaka
| Previous topic Next topic |
| Author | Message |
|---|
Joined: Fri Feb 22, 2008 00:17
Posts: 4
| Cannot mount as non-root in Debian/Sid Hi to all!!
This is my first post in the forum :)
I have the following problem in i686 running Debian/Sid.
I compiled the 1.2216 version from source and it installed with no problems.
However I cannot mount as non-root user.
E.g. username is 'user1', member of the groups 'disk' & 'fuse'
ntfs-3g > rws/rws/r-x root disk
/dev/fuse=> rw/rw/- root fuse
/dev/sda1=> rw/rw/- root disk
/mnt/sda1=> rwx/rwx/- root disk
As 'user1':
$ntfs-3g /dev/sda1 /mnt/sda1
The following error occurs:
'ntfs-3g-mount: Failed to open /dev/fuse. Permission denied.'
Any ideas??
I also tried the suggested:
http://www.ntfs-3g.org/support.html#useroption
but gives the same error.
Thanks in advance!
| | Fri Feb 22, 2008 00:31 |
Joined: Tue Nov 21, 2006 23:15
Posts: 1648
| Try to change your group before mount: chgrp fuse
If it doesn't help then sudo chmod 666 /dev/fuse
| | Fri Feb 22, 2008 00:41 | $chgrp fuse both as non-root and root gives the error: chgrp: missing operand after `fuse' It requires a 'file' parameter as shown in the man page.
| | Fri Feb 22, 2008 01:06 |
Joined: Tue Nov 21, 2006 23:15
Posts: 1648
|
| | Fri Feb 22, 2008 01:26 |
Joined: Fri Feb 22, 2008 00:17
Posts: 4
| I currently do not want to change the default group of user1
Thanks anyway :)
| | Fri Feb 22, 2008 02:12 |
Joined: Sun Feb 10, 2008 01:12
Posts: 6
Location: France
| Hello, I have the same problem with normal users here (/usr/bin/ntfs-3g is setuid root). mount gives the following message: Error opening partition device: Permission denied
Failed to mount '/dev/hdb1': Permission denied
Please check the volume and the ntfs-3g binary permissions,
and the mounting user ID. More explanation is provided at
http://ntfs-3g.org/support.html#unprivileged
$ ls -l /dev/hdb1
brw-rw---- 1 root disk 3, 65 2008-02-25 13:02 /dev/hdb1 I add the user to group 'disk' but the same error appears. I log into this group with 'newgrp disk'. This time I get: ntfs-3g-mount: failed to open /dev/fuse: Permission denied Repeating the previous two steps with group 'fuse' this time doesn't help.. Haven't try with a compiled-from-source ntfs-3g though, might be a packaging problem (?)
| | Mon Feb 25, 2008 23:00 |
Joined: Tue Nov 21, 2006 23:15
Posts: 1648
| Thanks for the bug report, it will be fixed in the next release. For now just do chmod 666 /dev/fuse
| | Tue Feb 26, 2008 00:26 | I tried it today with a source-compiled deb and it results in the same fault.
| | Sun Mar 02, 2008 03:46 |
Joined: Tue Nov 21, 2006 23:15
Posts: 1648
| Do you mean you get the 'ntfs-3g-mount: Failed to open /dev/fuse. Permission denied.' error after you did a 'chmod 666 /dev/fuse'?
That would be unexpected.
| | Sun Mar 02, 2008 10:55 |
Joined: Sun Feb 10, 2008 01:12
Posts: 6
Location: France
| With 'chmod 666 /dev/fuse' I still get 'Permission denied' on /dev/hdb1. Adding the user to group 'disk' then 'newgrp disk' fixes the permission issue but the following error occurs during the mount: $ mount /media/rack/
ntfs-3g-mount: user has no write access to mountpoint /media/rack Here is the line for this device in /etc/fstab: /dev/hdb1 /media/rack ntfs-3g user,noauto,dmask=022,fmask=133 0 0 Hope this helps (for the moment I mount as root :)
| | Mon Mar 03, 2008 11:48 | Hello,
I have the same problem too.
I think it's a problem with ntfs-3g since u+s ntfsmount let users mount ntfs partitions successfully.
Thanks Szaka for you support.
| | Mon Mar 03, 2008 13:23 |
Joined: Tue Nov 21, 2006 23:15
Posts: 1648
| Yes, ntfsmount works because it has a local root exploit. But NTFS-3G does not have know security problem. From http://ntfs-3g.org/support.html#unprivileged Unprivileged block device mounts work only if NTFS-3G is compiled with integrated FUSE support, the ntfs-3g binary is set to setuid-root, and the user has access rights to the volume and mount point.
SeeSharp didn't have access right to volume and to the mount point, so mount was correctly denied. It's a user setup/configuration problem, NTFS-3G works as it was designed, securely, without giving away the root access.
| | Mon Mar 03, 2008 15:22 | Thank you for your reply. It is actually a permission problem: chmod 666 /dev/sde1
chmod 777 /media/Volume
This way the mount is succesful, but quite insecure. I don't understand why secondary groups are ignored, since I am in both disk and storage (with primary group being users) carlocci ~/abs/ntfs-3g $ ls -ld /media/Volume/
drwxrwxr-x 2 root storage 4096 5 feb 16:28 /media/Volume/
carlocci ~/abs/ntfs-3g $ ls -l /dev/sde* /dev/fuse
crw-rw-rw- 1 root root 10, 229 3 mar 16:33 /dev/fuse
brw-rw---- 1 root disk 8, 64 3 mar 11:03 /dev/sde
brw-rw---- 1 root disk 8, 65 3 mar 11:03 /dev/sde1
carlocci ~/abs/ntfs-3g $ groups
tty disk wheel locate games dbus hal network video audio optical floppy storage power users The only way to mount as user seems chown root:disk /media/Volume
sg disk 'mount /media/Volume'
or change my primary group with newgrp. Probably I'm missing something as I'm quite a linux newbie; I wonder what that is.
| | Mon Mar 03, 2008 21:35 | I noticed I can mount ntfs partitions graphically if I remove the partition entry from fstab and mount through hal. Still can't mount from console, though. Here is the entry I removed # /dev/sde1 label Volume
/dev/disk/by-uuid/68941CD6941CA918 /media/Volume ntfs-3g users,noauto,uid=1000,gid=95,fmask=0113,dmask=0002,nls=utf8 0 0 The package which contains mount in my current install: Name : util-linux-ng Version : 2.13.0.1-2 Is this a problem with mount?
| | Tue Mar 04, 2008 18:51 |
Joined: Tue Nov 21, 2006 23:15
Posts: 1648
| Yes, the mount(8) and umount(8) utilities have known problems handling user mounts.
The /dev/fuse permission problem is fixed in NTFS-3G 1.2310.
| | Wed Mar 12, 2008 21:53 | Strange thing. I cannot confirm your fix in 1.2310. See yourself: denis@dencomp ~ $ ls -dl /mnt/usb
drwxrwxr-x 2 root usb 1024 Янв 21 18:50 /mnt/usb
denis@dencomp ~ $ groups denis
disk wheel usb denis
denis@dencomp ~ $ ls -l /dev/sda1
brw-rw---- 1 root disk 8, 1 Мар 13 14:17 /dev/sda1
denis@dencomp ~ $ ls -l /dev/fuse
crw-rw-rw- 1 root root 10, 229 Мар 13 12:18 /dev/fuse
denis@dencomp ~ $ mount /mnt/usb
Error opening '/dev/sda1': Отказано в доступе
Failed to mount '/dev/sda1': Отказано в доступе
Please check '/dev/sda1' and the ntfs-3g binary permissions,
and the mounting user ID. More explanation is provided at
http://ntfs-3g.org/support.html#unprivileged
P.S. Отказано в доступе - access denied in russian :) Thanks.
| | Thu Mar 13, 2008 15:06 |
Joined: Tue Nov 21, 2006 23:15
Posts: 1648
| Strange thing. I cannot confirm your fix in 1.2310.
/dev/fuse handling was fixed, not the supplementary group support which is completely dropped during startup as a security measure (so you need to have the 'disk' group as your main group at the moment). The two are different issues. I try to find the time to check it out and fix for the next release. Thanks, Szaka
| | Fri Mar 14, 2008 23:25 | /dev/fuse handling was fixed Hm, ok. not the supplementary group support which is completely dropped during startup as a security measure (so you need to have the 'disk' group as your main group at the moment) Completely dropped? I hope it's a temporary measure. I try to find the time to check it out and fix for the next release. Looking forward for the next release. (re)Switching main group is too high price for security, imho. Thanks.
| | Sat Mar 15, 2008 17:57 |
Joined: Sun Feb 10, 2008 01:12
Posts: 6
Location: France
| SeeSharp didn't have access right to volume and to the mount point, so mount was correctly denied. It's a user setup/configuration problem, NTFS-3G works as it was designed, securely, without giving away the root access. I haven't changed the access rights on the mount point (which is 'drwxr-xr-x 2 root root') and I think with previous releases of ntfs3g the user mount was allowed without the need of write access for the user on the mount point. I thought this was an expected behaviour for mounting a device, independently of the driver: for example a user mount of a vfat (rw) device on a mount point which is also 'drwxr-xr-x 2 root root' works without any access denied error. Also if I change the access rights on the mount point to 777, I get: ntfs-3g-mount: option allow_other only allowed if 'user_allow_other' is set in /etc/fuse.conf (but /etc/fuse.conf doesn't exist on my distribution - maybe this is just a debian packaging problem for v1.2310). I'm not doing a bug report here, just trying to figure how things work :) Again thank you szaka for your time and support.
| | Sun Mar 16, 2008 21:29 |
Joined: Tue Nov 21, 2006 23:15
Posts: 1648
| Cannot mount as non-root in Debian/Sid On Sun, 16 Mar 2008, SeeSharp wrote: I haven't changed the access rights on the mount point (which is
'drwxr-xr-x 2 root root') and I think with previous releases of ntfs3g
the user mount was allowed without the need of write access for the user
on the mount point.
This is a local root exploit. I thought this was an expected behaviour for mounting a device,
Yes, at that time it wasn't known that this is a local root exploit. independently of the driver: for example a user mount of a vfat (rw)
device on a mount point which is also 'drwxr-xr-x 2 root root' works
without any access denied error.
This is a fundamentally different issue. It works because root gave explicit permission in fstab by the the 'user' or 'users' mount option. I'm sure you can not mount fat wherever you want as a user. The real problem is that, the mount utility doesn't support this for helper mount software. We can't do anything about it, this is a problem in another software. It's explained here: http://ntfs-3g.org/support.html#useroption2 Also if I change the access rights on the mount point to 777, I get:
ntfs-3g-mount: option allow_other only allowed if 'user_allow_other'
is set in /etc/fuse.conf (but /etc/fuse.conf doesn't exist on my
distribution - maybe this is just a debian packaging problem for
v1.2310).
This is indeed a known NTFS-3G problem and will be fixed in one of the forecoming releases. Thanks. I'm not doing a bug report here, just trying to figure how things work :)
This is indeed a quite compex issue what not even many developers understand ;-) When we fixed all security problems in release 1.2216 then we made the driver way too strict. Now we are relaxing the constrains where it's safe to do. Again thank you szaka for your time and support.
Thanks for the feedback! :-) Bye, Szaka
| | Sun Mar 16, 2008 21:49 |
Joined: Tue Nov 21, 2006 23:15
Posts: 1648
| The NTFS-3G 1.2412 release fixes these two issues:
o Fix: unprivileged mount may have been denied because supplementary groups were dropped too early as a security measure.
o Fix: unprivileged mount may have been denied if the /etc/fuse.conf file wasn't properly configured. This was redundant and the /etc/fuse.conf file is not required anymore.
Thanks, Szaka
| | Sun Apr 13, 2008 02:02 |
Joined: Sun Feb 10, 2008 01:12
Posts: 6
Location: France
| Sorry to bump this old thread, but there is something I still don't get. Suppose we have the following mount point: drwxrwx--- 2 root test 4096 Jun 19 02:09 multimedia why is it not possible for a user member of group 'test' to mount his ntfs-3g partition without having to log-in to group 'test' (with /usr/bin/newgrp) before mounting? I understand it is certainly an extra-security mesure, but if the administrator added a given user to a group, authorized user-mounts in /etc/fstab, and set r/w access to the mount point for this group, shouldn't it be enough to allow said user to mount the partition?
| | Thu Jun 19, 2008 05:27 |
Joined: Tue Nov 21, 2006 23:15
Posts: 1648
| Sorry to bump this old thread, but there is something I still don't get. Suppose we have the following mount point: drwxrwx--- 2 root test 4096 Jun 19 02:09 multimedia why is it not possible for a user member of group 'test' to mount his ntfs-3g partition without having to log-in to group 'test' (with /usr/bin/newgrp) before mounting? Because you use a too old NTFS-3G release: http://ntfs-3g.org/releases.html
| | Thu Jun 19, 2008 11:27 |
Who is online | Users browsing this forum: No registered users and 5 guests |
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
|
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Original forum style by Vjacheslav Trushkin. |
