LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-08-2007, 11:40 AM   #1
crashsystems
Member
 
Registered: May 2006
Location: Tennessee et. al
Distribution: Debian Sid, Etch
Posts: 138

Rep: Reputation: 15
mounting encrypted img without being root


I'm running a Debian Sid box with the 2.6.18-4 kernel. I created a 1gb encrypted image file with the following commands (as root):
Code:
dd if=/dev/zero of=secure.img bs=1M count=1024
losetup /dev/loop/0 secure.img
cryptsetup -y create secure /dev/loop/0
mkfs.xfs /dev/mapper/secure
Once the file was created, I made two scripts, open and close, to access the encrypted file system.

open:
Code:
#!/bin/sh
/sbin/losetup /dev/loop/0 secure.img
/sbin/cryptsetup create secure /dev/loop/0
mount /dev/mapper/secure /home/crashsystems/Secure/files
close:
Code:
#!/bin/sh
umount /home/crashsystems/Secure/files
/sbin/cryptsetup remove secure
/sbin/losetup -d /dev/loop/0
Also, I've added the following entry into /etc/fstab:
Code:
/dev/mapper/secure /home/crashsystems/Secure/files xfs defaults,noatime,user 0 0
When I run these scripts as root, it mounts the file system just fine, and I can access it read/write as root, but I have read only access in my normal user account (crashsystems). I would like to be able to access the file system without giving my root password first, but most importantly I need to be able to have read/write access to it with a non-root account. When I try to run the open script as crashsystems, I get the following error:
Code:
crashsystems@csmobile:~/Secure$ ./open
/dev/loop/0: Permission denied
Command failed: Incompatible libdevmapper 1.02.12 (2006-10-13)(compat) and kernel driver
mount: only root can do that
I've checked out the permissions set on the binaries for mount, umount, losetup, and cryptsetup, and made sure that they were executable by everyone, but to no avail. If anyone knows what I might be doing wrong, that would be great.

Last edited by crashsystems; 03-08-2007 at 03:19 PM.
 
Old 03-08-2007, 01:14 PM   #2
kilgoretrout
Senior Member
 
Registered: Oct 2003
Posts: 2,300

Rep: Reputation: 138Reputation: 138
Code:
/dev/loop/0: Permission denied
That would indicate to me that you don't have sufficient permissions on /dev/loop0. Check the permissions on the loop0 device file and see if you can change them for all users to have rwx permissions, i.e.:

# chmod 777 /dev/loop0

and then see if you can open the encrypted filesystem as a regular user. Note of caution, I'm not sure what the possible security ramifications are for changing the permissions on loop0. Also, the permissions on loop0 may reset to their default status on reboot.
 
Old 03-08-2007, 01:25 PM   #3
crashsystems
Member
 
Registered: May 2006
Location: Tennessee et. al
Distribution: Debian Sid, Etch
Posts: 138

Original Poster
Rep: Reputation: 15
kilgoretrout, I changed the permissions as you suggested, and that solves the permission denied problem for /dev/loop/0, but I'm still getting the rest of the message.
 
Old 03-08-2007, 02:01 PM   #4
kilgoretrout
Senior Member
 
Registered: Oct 2003
Posts: 2,300

Rep: Reputation: 138Reputation: 138
I think you may also need write permissions to the /dev/mapper directory.
 
Old 03-08-2007, 02:07 PM   #5
crashsystems
Member
 
Registered: May 2006
Location: Tennessee et. al
Distribution: Debian Sid, Etch
Posts: 138

Original Poster
Rep: Reputation: 15
Adding write permissions diden't change anything. Have any other ideas?
 
Old 03-08-2007, 05:38 PM   #6
kilgoretrout
Senior Member
 
Registered: Oct 2003
Posts: 2,300

Rep: Reputation: 138Reputation: 138
Here's the problem as I see it. You have given ordinary users execute permissions on losetup, cryptsetup, mount and umount. However, the processes launched by these commands have a set of permissions attached to them just like users do. The general rule is that a process will have the same permissions as the user that launched the process. Unfortunately, all these processes have to do certain things that only root can do in order to generate the device file in /dev/mapper and mount the encrypted filesystem. You could probably get around that by changing the permissions on those commands to SUID root:

# chmod 4755 <full path to command>

This will cause the command to launch with root permissions instead of the user's permissions. This is also generally considered an insecure practice.
You can also accomplish much the same thing in a more secure manner with sudo. Here's a nice article going into how to set sudo up:

http://polishlinux.org/first-steps/r...ount/sudo-faq/

However, your main problem seems to be that you want ordinary users to have write access to the encrypted filesystem. You generally would accomplish that on a linux filesystem by first mounting the filesystem and then running:

# chmod -R 777 <mount point>

I would suggest mounting the encrypted filesystem as root and running:

# chmod -R 777 /home/crashsystems/Secure/files

This would work on any normal linux filesystem. It is imperative that the filesystem be first mounted before running the command or it won't work.
 
Old 03-09-2007, 10:33 AM   #7
crashsystems
Member
 
Registered: May 2006
Location: Tennessee et. al
Distribution: Debian Sid, Etch
Posts: 138

Original Poster
Rep: Reputation: 15
Changing the mount point permissions post-mount did the trick. I'll probably set up sudo for the task eventually. I was thinking though, could I just chown root my open and close scripts, and make them writable only by root, then set up the sudo stuff for those scripts. Do you think that would work? Thanks for your help.
 
Old 03-09-2007, 12:08 PM   #8
kilgoretrout
Senior Member
 
Registered: Oct 2003
Posts: 2,300

Rep: Reputation: 138Reputation: 138
I know SUID does not work on bash scripts, i.e. you can't set the permissions on a bash script SUID. It's just way too insecure and automatically not allowed on scripts; you need a compiled executable binary for SUID to work properly. I'm not sure about sudo but my guess is you can get it to work on scripts. If not, you probably just need to deal with losetup and cryptsetup.

Last edited by kilgoretrout; 03-09-2007 at 12:12 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
mounting .img files iamharpreet Linux - Newbie 16 07-07-2012 04:11 PM
Mounting a .img file? RoaCh Of DisCor Linux - Newbie 2 07-12-2005 02:49 PM
mounting a .img file... username-inuse Linux - Software 3 05-01-2005 02:46 PM
Mounting boot/initrd.img Law1213 Linux - Software 10 01-25-2005 02:37 PM
mounting a img file kudos Slackware 2 04-30-2003 02:54 PM


All times are GMT -5. The time now is 12:18 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration