I've been wondering about this for a while, and I've never gotten a clear answer. What's the rationale behind only allowing root to mount filesystems? With all the removable media like flash drives, CD-ROMs, SD cards, phones, cameras, and even network shares, it's common for a user to want to be able to access files on those devices. However, doing so requires mounting the filesystem, which for some reason, requires root privileges. To me, the intuitive thing would be that if a user is able to delete a directory and create files in that directory, he/she should be able to mount a device in that directory. Instead, mount is reserved for root only, and doesn't care anything about the files which are being shadowed. Something as simple as listening to music from a CD or saving a document to a flash drive requires root! I know many desktop environments get around this with FUSE or using IPC to communicate with a daemon which handles the actual mounting and unmounting, but this seems like a strange hack that works around a design flaw of Linux.

Wrong. Root access is required to set up access to mount filesystems, not mounting them. Start with man fstab and man mount.

True, mount does require root privileges.

man -s 2 mount:

Appropriate privilege (Linux: the CAP_SYS_ADMIN capability) is required to mount file systems.

However, if the file system to mount already has an entry in the /etc/fstab file and this entry has the "user" option set, anybody will be allowed to mount it. This is possible because the mount command has the root suid bit set. Similar rights might also be granted to users owning or belonging to the group of the device to mount (options "owner" and "group").

The rationale behind the default limitation is that granting the right for anyone to mount any file system would be a serious security issue.

Let say I mount a file system where there is a copy of a shell binary with root suid bit set and I'm able to become root without a password by running it.

Other issues would be mounting a file system with device files (i.e. major/minor) that belong to me, or with 0777 permissions and I would be able to access the actual devices behind them with no restrictions and either damage or hack the system.

Of course, the risk is mitigated when limited power files systems like FAT32 or iso, which do no support suid executables or devices are used. The system is also disabling the device and suid support at mount time when users or groups are granted the right to mount the file system.

Note that on most Linux systems, there is no issue with the removable media you are talking about because there is typically a service that automount them for you and apply the right restrictions to avoid the security issues I was referring to.

Above example allows me to mount my SD card as user, in fact Thunar mounts it happily for me when I click on SD shortcut.

Yes, but that's because there is the "users" option set which allows anyone to mount that specific device, and anyone else to unmount it.

Right, root access is required to set up user access ... isn't that what I said earlier?

I understand what you mean and possibly misunderstood what your "Wrong" was about. It is clear the OP two last statements are incorrect.

The standard behavior is for mount to require root access to succeed. You are focusing on the mechanisms put in place to allow a non privileged user to mount removable media in a secure way or to have them mounted automatically, but this is an exception to the default rule, not how mount was originally designed.

In any case, I'm replying to the question "What's the rationale behind only allowing root to mount file systems?" and my reply wouldn't make sense if the question statement was incorrect.

To generalize, the *nix principle is "default denied" and whatever user needs to do outside of home directory permission for it must be granted by root, mount is no exception.

This is unrelated to the file system permissions or the home directories. Users aren't allowed by default to mount anything inside their home directory either for the very reasons I have presented.

The point here is a restricted system call and the reason it is restricted is that it potentially allows privilege escalation.

Also, there is usually no need for the permission to mount removable media to be explicitly granted by root, the permission is already there at installation time, being part of the OS configuration.

Mounting inside home still requires accessing node in /dev - which is outside of home. Removable devices are usually not mounted by OS, nowadays it is the DE that does it.

Granted about /dev although technically, nothing forbids to have a device file under a home directory.

The DE is indeed nowadays the component that eventually mounts the device but this mechanism is closely tied with the OS (the kernel detects the device insertion, notify a first daemon like devfs/udev/systemd which notify other daemons, etc. ) In any case, a DE is normally considered to be part of the OS where it is installed.

Not a hack. It is security.

Mounting arbitrary filesystems allows device nodes to be included - and to violate security just have /dev/mem (the device) would allow inappropriate access to anything in memory, and allow changing restrictions places on the user (like switching it to root just by replacing the UID entries in the process header).

Other problems introduced are setuid programs (like /usr/bin/passwd is) on a bash interpreter - suddenly you have root without any effort, which in turn gives you control over the entire system.

That is why mounts placed for users have to be in the /etc/fstab. It allows the administrator to DEFINE the restrictions (nodev, nosetuid, and possibly even noexec for what should be data only). Without restricting mount the administrator cannot ensure the security or reliability of the system.

udev applies restrictions on the automatic mounts for USB/CD/DVDs. And udev can be configured to not allow users access.

1 members found this post helpful.

Hi,

Too have a normal user to have such rights opens security issues. That's why when a normal user without root privileges should receive when issuing the mount command; The way around that would be to allow the user to the superuser would need to share the root password which could be a potential headache for him/her. Or root could modify '/etc/sudoer' to reflect the users usage. Even then I am verify doubtful to allow some users those rights.

Why do you think we have all these queries here at LQ when a user that does not know what they are doing and trash a system when issuing commands that corrupt the system?

Security; Pick one of the above definitions that suits you and the reasons that a secure Gnu/Linux limits those rights to a normal user as a default.

For a DE to auto-mount a device those privileges have been met by the initial configurations for that user's environment.

Hope this helps.
Have fun & enjoy!