Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
When I run these scripts as root, it mounts the file system just fine, and I can access it read/write as root, but I have read only access in my normal user account (crashsystems). I would like to be able to access the file system without giving my root password first, but most importantly I need to be able to have read/write access to it with a non-root account. When I try to run the open script as crashsystems, I get the following error:
Code:
crashsystems@csmobile:~/Secure$ ./open
/dev/loop/0: Permission denied
Command failed: Incompatible libdevmapper 1.02.12 (2006-10-13)(compat) and kernel driver
mount: only root can do that
I've checked out the permissions set on the binaries for mount, umount, losetup, and cryptsetup, and made sure that they were executable by everyone, but to no avail. If anyone knows what I might be doing wrong, that would be great.
Last edited by crashsystems; 03-08-2007 at 03:19 PM.
That would indicate to me that you don't have sufficient permissions on /dev/loop0. Check the permissions on the loop0 device file and see if you can change them for all users to have rwx permissions, i.e.:
# chmod 777 /dev/loop0
and then see if you can open the encrypted filesystem as a regular user. Note of caution, I'm not sure what the possible security ramifications are for changing the permissions on loop0. Also, the permissions on loop0 may reset to their default status on reboot.
kilgoretrout, I changed the permissions as you suggested, and that solves the permission denied problem for /dev/loop/0, but I'm still getting the rest of the message.
Here's the problem as I see it. You have given ordinary users execute permissions on losetup, cryptsetup, mount and umount. However, the processes launched by these commands have a set of permissions attached to them just like users do. The general rule is that a process will have the same permissions as the user that launched the process. Unfortunately, all these processes have to do certain things that only root can do in order to generate the device file in /dev/mapper and mount the encrypted filesystem. You could probably get around that by changing the permissions on those commands to SUID root:
# chmod 4755 <full path to command>
This will cause the command to launch with root permissions instead of the user's permissions. This is also generally considered an insecure practice.
You can also accomplish much the same thing in a more secure manner with sudo. Here's a nice article going into how to set sudo up:
However, your main problem seems to be that you want ordinary users to have write access to the encrypted filesystem. You generally would accomplish that on a linux filesystem by first mounting the filesystem and then running:
# chmod -R 777 <mount point>
I would suggest mounting the encrypted filesystem as root and running:
# chmod -R 777 /home/crashsystems/Secure/files
This would work on any normal linux filesystem. It is imperative that the filesystem be first mounted before running the command or it won't work.
Changing the mount point permissions post-mount did the trick. I'll probably set up sudo for the task eventually. I was thinking though, could I just chown root my open and close scripts, and make them writable only by root, then set up the sudo stuff for those scripts. Do you think that would work? Thanks for your help.
I know SUID does not work on bash scripts, i.e. you can't set the permissions on a bash script SUID. It's just way too insecure and automatically not allowed on scripts; you need a compiled executable binary for SUID to work properly. I'm not sure about sudo but my guess is you can get it to work on scripts. If not, you probably just need to deal with losetup and cryptsetup.
Last edited by kilgoretrout; 03-09-2007 at 12:12 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.