[Fedora-livecd-list] Preventing access to /mnt/live (inter alia)

James Heather j.heather at surrey.ac.uk
Fri Mar 5 15:15:03 UTC 2010 

> > (1) I want to stop non-root users from being able to mount other drives,
> > e.g., other USB sticks. How do I do that? (It's not enough to kill off
> > the auto-mounting if people will still be able to mount from the command
> > line.)
> 
> You probably want to configure polkit (PolicyKit in F11) to not allow 
> local users to do such administrative tasks.
> I would start looking at 
> /etc/polkit-1/localauthority.conf.d/60-desktop-policy.conf (perhaps 
> /etc/PolicyKit in F11).
> Or perhaps it could be solved at DeviceKit-disks level ...

You da man. For the record, what I now have is

%post
#all non-root users need root password to mount anything
if [[ -x /usr/bin/pklalockdown ]]
then
	#this is for F12+
	pklalockdown --lockdown org.freedesktop.devicekit.disks.filesystem-mount
else
	#this is F11-specific
	polkit-action --set-defaults-active org.freedesktop.devicekit.disks.filesystem-mount auth_admin
fi
%end

which seems to work nicely.

> But how will you prevent the users from booting another USB stick where 
> they have full root access and from which they can open, run and hack 
> your usb stick?

I can't. But then, I can't install software to stop them chatting to
each other. Some of the security has to be down to careful invigilation.

The only way to solve this by technical means would be to install the OS
on the hard drive, or on a PXE server, or some such. But sadly I don't
have the authority to do that.

The alternative is to use the 'secure' environment that they have set up
in Windows... where blocking network access means installing something
in IE8 to stop them browsing forbidden web sites! But it doesn't block
anything else, and we're giving them a compiler for goodness' sake.

> > (2) On a more relevant point for this list, I've noticed that all users
> > have access to the base FAT32 filesystem of the bootable USB stick,
> > on /mnt/live. How do I get this mounted so that only root can
> > read /mnt/live? I don't want someone to be able to write code to unpick
> > the squashfs image, etc. These are programming exams, so they have a
> > compiler available, and a few of them can probably use it...
> 
> I assume that everything in the squashfs already is mounted on / , so 
> what are you trying to avoid?

They don't have unfettered access to /. They aren't root, so they can't
(for instance) read or write /etc/shadow. But they can read and
write /mnt/live/LiveOS/squashfs.img!

Worse still, they can read/write the persistent overlay. That means it
would be pretty easy to overwrite any file at all. They could install
their own /etc/shadow with some judicious manipulation of the overlay.

I want to be sure that, provided they've booted from the stick I've
given them, they can't break the security.

> > (I don't know if it's relevant, but currently I have to build this as
> > Fedora 11, because my first go is a 3D graphics exam, and they need the
> > proprietary ATI driver.)
> 
> That is almost the same as giving them root access.
> 
> (Just kidding. I really don't know. But neither do you. ;-) )

Fortunately, nor do they!

James

More information about the livecd mailing list