0

I would like users to be able to mount ext3 image files as a loop back devices in read only and no execution modes without having to invoke sudo. The sudo command currently used is something like:

$ EXT3_DIR=$(mktemp -d /tmp/ext3-mnt-XXX) ; sudo mount -o loop,ro,user rootfs.ext3 ${EXT3_DIR} && cd ${EXT3_DIR}

With that (and visudo), I created a file: /etc/sudoers.d/ext3-ro-mount with the contents:

user ALL=(root) NOPASSWD: /bin/mount -o loop\,ro\,user *.ext3 /tmp/ext-mnt-*

But when I run the mount command without sudo elevation, I get the error:

mount: only root can use "--options" option

How can I achieve this for users? (and what would the subsequent /etc/sudoers.d/ext3-ro-umount conent look like?)

EDIT:

Having misunderstood how what I was doing is actually meant to work, I ran the command with sudo on a less privileged account, entered the password and got this error:

{such and such} is not in the sudoers file.  This incident will be reported.

How do I add a user to the sudoers file without making them a full blown sudoer? Is this achieved by creating a new group and give the group permission to do this?

EDIT 2:

I figured out the issue I was having. See my answer below.

Jamie
  • 146
  • I had written an answer for this QA a while back, and it seems similar to your situation. In essence, the process involves setting up an fstab entry with the user/users option. Can you take a look and see if it helps? – Haxiel Oct 13 '20 at 16:17
  • @Haxiel Can the fstab take wildcards? My example shows the image file being rootfs.ext3, but in reality, only the suffix (.ext3) will be fixed. – Jamie Oct 13 '20 at 16:36
  • 1
    Why is it a problem for the users having to type the extra word sudo in front of the mount command? – meuh Oct 13 '20 at 16:52
  • 1
    @Jamie fstab entries are typically one-to-one mappings of a device/filesystem to a path. So as far as I know, fstab does not support wildcards. You'll need one entry per image file. – Haxiel Oct 13 '20 at 17:05
  • @Haxiel I thought as much, which is why I'm hoping I can do this with a sudo configuration. – Jamie Oct 13 '20 at 17:23
  • @meuh Asking a user to add sudo to the command isn't the issue: I don't want them to have sudo privileges, just the ability to mount/umount an image with the restrictions I outlined. – Jamie Oct 13 '20 at 17:28
  • They will only be able to execute the single mount command you have specified, unless you also add them to, say, group sudo and you already have a default entry for %sudo ALL=(ALL:ALL) ALL, as some distributions do (or %wheel for Fedora). You don't have to do that. – meuh Oct 13 '20 at 17:57
  • @Jamie After reading question and comments it seems like you are expecting that adding a command to the sudoers configuration allowed a user to run it without sudo. It is the other way round: it allows the user to run that command line (and only that one) using sudo, while sudo any other command will fail. – fra-san Oct 13 '20 at 21:29
  • @fra-san You're quite correct. Let me try logging off and on again to see if what I tried worked. – Jamie Oct 13 '20 at 22:29
  • Note: You used -o loop\,ro\,noexec in the file. A command must contain -o loop,ro,noexec to match this. Your command contains -o loop,noexec,ro. sudo neither is aware nor cares if these are equivalent for mount, it compares character strings. – Kamil Maciorowski Oct 13 '20 at 23:01
  • @KamilMaciorowski You're quite right, and I knew that. That was a transcription between console and webUI error. – Jamie Oct 14 '20 at 14:52

2 Answers2

0

sudo supports fine grain privileges.

e.g. You can set up so that a specified user or group can execute a specified command with specified arguments with or without a password.

See man sudoers

ctrl-alt-delor
  • 27,993
  • Do you somehow think the attempt I made was accomplished without consulting documentation? I'm having trouble with the syntax, so obviously, I'm missing something you clearly think is obvious on the man page. A little more insight would be appreciated. – Jamie Oct 13 '20 at 22:27
  • You said without sudo, therefore I have not given any detail on how to use sudo. Only guidance to say that I believe that you should use it. It may now be a good idea after reading the manual, and trying it, to ask another question. – ctrl-alt-delor Oct 14 '20 at 09:17
0

The correct form of the sudoer file I was looking for was to replace user with ALL:

ALL ALL=(root) NOPASSWD: /bin/mount -o loop\,ro\,user *.ext3 /tmp/ext-mnt-*
Jamie
  • 146