LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

July 2010

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS July 2010

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: automount
From:	Oleg Sadov <[log in to unmask]>
Reply To:	Oleg Sadov <[log in to unmask]>
Date:	Thu, 1 Jul 2010 15:44:43 +0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (58 lines)

30/06/2010 14:03 +0200, Gasser Marc wrote:
> Hi,

Hi Marc,

> when I insert a disc in my cdrom on SL51 it is
> mounted automatically with option noexec (autofs is not running, no entry
> for /dev/cdrom in fstab).
> 
> How can I change this behaviour, e.g. I'd like to have it
> in exec mode.

Yes, of course, old good times of /etc/fstab for external device
mounting are gone and now we are in the power of UDev/HAL/Gnome-VFS
hells magic. Many thanks for David and Jon for good explanation of
changing of default behavior of ext. storage mounting, but we must keep
in mind about serious security problems of such solutions: 'noexec'
mounting is great wall from malicious code from external untrusted
sources, viruses, trojans and so on. Just take a look, for example, in
this presentation:

http://people.redhat.com/sgrubb/files/hardening-rhel5.pdf

My 5 cents about another possible ways for this problem solving:

1. The simplest way for the single-use 'exec' mount is a just
remounting:

mount -o remount,exec /dev/cdrom

2. The more convenient way, especially for setting up device drivers or
3-rd party software, is a using a 'autorun' standard mechanism. RHEL
provide this one by additional_cds fristboots plugin -- it mount CD/DVD
at 'exec' mode, find 'autorun' script and run it. In SL this plugin
removed by 'sl-release' package. Troy, what do you think, me be this
possibility will be useful for SL-users -- some of HW vendors (Samsung,
for ex.) now put such installers on device drivers media?

In addition to fristboot plugin we made a special package for running of
'autorun' scripts in a users session:

http://downloads.naulinux.ru/pub/NauLinux/5.5/i386/SL/run_autorun-1.1-1.Nau5x.noarch.rpm
http://downloads.naulinux.ru/pub/NauLinux/5x/SRPMS/run_autorun-1.1-1.Nau5x.src.rpm

It's run by consolehelper wrapper and ask root's password from user as a
protection from fool, look to hal-mounted devices, search 'autorun'
scripts, remount to 'exec'-mode, run 'autorun' and remount storage once
again to 'noexec'-mode. Of course, we have a dangerous period during
'exec' mounting stage in multi-user environments, but it seems the least
harm in comparison with 'exec'-mounting by default.

> Regards,
> 
> Marc

Best wishes,
--Oleg

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV