From: Marc Weber <marco-oweber@gmx.de>
To: Marc Weber <marco-oweber@gmx.de>
Cc: autofs <autofs@linux.kernel.org>
Subject: Re: sshfs and autofs
Date: Fri, 18 Dec 2009 23:01:26 +0100 [thread overview]
Message-ID: <1261173402-sup-9510@nixos> (raw)
In-Reply-To: <1261107485-sup-320@nixos>
The script I posted last let's still other users access your mounts
which is bad.
This script only queries the ssh-agents run by the uid specified in
mount options (uid=..)
It also uses sudo -u#uid to run ssfs causing a user mount.
So other causes can still cause the mount. But they can't access the
filesystem contents:
# ls -l /auto/mlin;
ls: cannot open directory /auto/mlin: Permission denied
# ls -l /auto
ls: cannot access /auto/mlin: Permission denied
total 0
d????????? ? ? ? ? ? mlin
Whatever those question marks mean?
Updated script
# setuid-wrappers for fusermount
export PATH=/var/setuid-wrappers:${pkgs.coreutils}/bin:${pkgs.sshfsFuse}/bin:${pkgs.openssh}/bin:${pkgs.procps}/bin:${pkgs.lsof}/bin:${pkgs.gnused}/bin/:${pkgs.sudo}/bin
pids=`pgrep ssh-agent`
# get uid=nr from arguments
uid=$(echo "$@"| sed -n 's@.*uid=\([0123456789]\+\).*@\1@p')
connect(){
sudo=$1; shift
$sudo sshfs -o ssh_command="ssh -o NumberOfPasswordPrompts=0" "$@" \
&& exit 0 || true
}
# Change ownership of mountpoint. Ownership will be overridden when mount suceeds.
# Otherwise fusermount can't access it (?!)
chown $uid "$2"
chmod u+w "$2"
for p in $pids; do
res="$(lsof -p $p -a -U -Fnu)"
user_id=$(echo "$res"| sed -n 's/^u//p')
if [ "$user_id" == "$uid" ]; then
export SSH_AUTH_SOCK=$(echo "$res"| sed -n 's/^n//p')
export SSH_AGENT_PID=$p
echo "trying to connect using ssh-agent $p $SSH_AUTH_SOCK" 1>&2
# by using sudo -u allow accessing mount by target user - Is there a better way to achieve this??
connect "sudo -E -u#$user_id" "$@"
echo -n " .. failed" 1>&2
fi
done
unset SSH_AGENT_PID; unset SSH_AUTH_SOCK
# no ssh-agent found or they all belong to different users..
# Try again. Maybe there is a key without password ?
# You should not be using this!
connect "" "$@"
exit 1
Can I make automount create those key directories with user permissions
as well so that other users can't even cause a mount?
Is there a better way to restrict acess to a user only compared to using
sudo?
Marc Weber
next prev parent reply other threads:[~2009-12-18 22:01 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-12-18 4:08 sshfs and autofs Marc Weber
2009-12-18 22:01 ` Marc Weber [this message]
2009-12-20 15:54 ` Stef Bon
2009-12-21 10:32 ` Marc Weber
2009-12-22 19:08 ` Stef Bon
2009-12-22 21:45 ` Marc Weber
2009-12-23 21:47 ` Stef Bon
2009-12-23 21:59 ` Stef Bon
2009-12-23 22:16 ` Marc Weber
2009-12-23 22:31 ` Stef Bon
2009-12-23 22:53 ` Marc Weber
2009-12-24 14:12 ` Stef Bon
2009-12-24 23:52 ` Marc Weber
2009-12-23 22:05 ` Marc Weber
2009-12-23 22:19 ` Stef Bon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1261173402-sup-9510@nixos \
--to=marco-oweber@gmx.de \
--cc=autofs@linux.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.