(fedora) Re: running shell scripts from external USB disk

wwp subscript at free.fr
Fri May 19 16:52:53 UTC 2006 

Hello,


On Fri, 19 May 2006 10:41:04 -0500 "Mikkel L. Ellertson" <mikkel at infinity-ltd.com> wrote:

> Jacob (=Jouk) Jansen wrote:
> > Karsten wrote on 19-MAY-2006 16:20:35.24
> >> On Fri, May 19, 2006 at 04:00:07PM +0200, Jacob (=Jouk) Jansen wrote:
> >> Hi all,
> >>
> >> I have a FC5 system with an internal disk and a external USB disk
> >> withanext3 partition on it. If a shell script (bash,csh etc..) is
> >> located on the internal drive it works fine. If I copy it to the USB
> >> disk I get problems: (why????)
> > [snip]
> >> Check the output of 'mount' for that device. I'm pretty sure that it has
> >> been mounted with the 'noexec' flag.
> >  You are right.
> >  How to change this? This USB disk is mounted automatically when pluged
> > in. I cannot edit fstab since than the machine fails to boot when the
> > disk is not present.
> > 
> >                         Jouk
> > 
> You can add a local HAL rule to override the default behavior when
> mounting USB drives. For security reasons, you may want to make the
> rule specific to that USB drive. You will want to replace the noexec
> option with the nosuid option so that someone can not plug in a USB
> drive with a suid root binary that they can use to hack the system.
> (Easy way to crack a system - suid root an editor, and modify
> /etc/passwd so you can log in as root.)

If I've well-understood some recent (and less recent) posts here, HAL is no
longer able to change the mount options - what a pain! I could confirm it, it
fails at passing exec or any other mount option, lines like the following fail:

(excerpts from /usr/share/hal/fdi/policy/95userpolicy/mydevice.fdi
[..]
        <merge key="volume.policy.mount_option.noexec" type="bool">false</merge>
        <merge key="volume.policy.mount_option.exec" type="bool">true</merge>
[..]


There's a desktop alternative, adding a "remount-exec" script to
~/.gnome2/nautilus-scripts/, which lets me decide when I remount the device w/
exec capability or not (of course not for vfat ones):

#!/bin/sh

for FILE_PATH in $NAUTILUS_SCRIPT_SELECTED_FILE_PATHS
do
	test -n "$FILE_PATH" && \
		sudo mount -o remount,exec "$FILE_PATH" >> "$LOG" 2>&1
	shift
done


You'll need to add a line like the one below to /etc/sudoers:

yourusername ALL=NOPASSWD:/bin/mount,/bin/umount,/sbin/mount.cifs,/sbin/umount.cifs


My 2 cts.


Regards,

-- 
wwp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20060519/4b29dbdf/attachment-0001.sig>

More information about the fedora-list mailing list