Hi,

currently, with ntfs3g-1.2531, in order to be able to mount as user, I have to do the following:

• make an fstab entry
  Code:

  /dev/sda1 /mnt/windows ntfs-3g locale=en_US.utf8,user,noauto 0 0
• give the ntfs-3g binary the suid bit
• give the user read-write access rights to the device
  Code:

  chown root:users /dev/sda1
  chmod 660 /dev/sda1

Only then I can do mount /mnt/windows as well as umount /mnt/windows as user (who is in the users group). Not following one step of the above results in this error message:



I have some concerns about giving the users raw read/write access to the device. Doing this, makes the user able to do things, he could not do with file system access alone, for example:

• The user can format the drive and thus replace all data with something else.
• The user can analyze the raw data of the drive and thus restore files that have been deleted and would be not accessible via the file system layer.
• This allows the user to hide data from everyone, including root, for example by writing and then deleting a file with magic header, which only the user knows, and only the user can find, by accessing the raw data of the drive.
• Some people even misunderstand this requirements, for example the Gentoo guide recommends putting users into the disk group, which gives the user raw access rights to any disk, not just the ntfs ones, practically making them root.

In short, doing this gives the user more privileges than he needs to have.

In my understanding, a binary that has the suid bit set, can do whatever it wants to do. So the requirement of giving the user read-write access to the device, should be completely artificial. What should be checked instead is wether or not the fstab permits the user to mount a partition or not.

Or did I misunderstand something and there is indeed a way to allow a user to mount, without giving him additional permissions to any device?

Hi,

On Wed, 4 Jun 2008, frostschutz wrote:

> I have some concerns about giving the users raw read/write access to the
> device.

Then don't do it, nobody is forcing you.

Instead you could kindly ask /bin/mount maintainers to fix mount, or submit
patches to them (there are several /bin/mount utilities) so unprivileged
users can also mount via mount helpers too, not only via file system kernel
drivers.

> In my understanding, a binary that has the suid bit set, can do whatever
> it wants to do.

Yes, it could but it does only what is secure. What you're asking for is a
major, serious security hole, we just fixed this year.

If you deeply care about user accesses then I also recommend NTFS-3G with
full file ownership and permissions support at
http://pagesperso-orange.fr/b.andre/security.html

> So the requirement of giving the user read-write access to the device,
> should be completely artificial. What should be checked instead is wether
> or not the fstab permits the user to mount a partition or not.

ntfs-3g doesn't check /etc/fstab, mount does then it behaves incorrectly.

> Or did I misunderstand something and there is indeed a way to allow a
> user to mount, without giving him additional permissions to any device?

The issue is documented here: http://ntfs-3g.org/support.html#useroption2

Thanks, Szaka

I'm just a normal user, not in a position to tell other people to patch their software (that includes your software). I merely wanted to find out if there was a misunderstanding on how ntfs-3g with suid bit set is supposed to work (it seems that the current solution outsources the security issues to the system / admin / users instead of offering a smart / safe solution).

I'd trust ntfs-3g with the suid bit - the FAQ states "The setuid-root ntfs-3g driver applies the principle of least privilege during its lifetime as a safety measure." - I assume this means that ntfs-3g drops any privilege it doesn't need (anymore) as soon as possible, so it won't do anything other than what it's actually supposed to be able to do.

However I won't trust users with access rights to the volume, because doing this is a security issue in itself, with or without ntfs-3g. Having such a requirement makes giving ntfs-3g the suid bit utterly pointless.