Re: [autofs] sshfs and autofs

Marc Weber Fri, 18 Dec 2009 14:05:19 -0800

The script I posted last let's still other users access your mounts
which is bad.
This script only queries the ssh-agents run by the uid specified in
mount options (uid=..)
It also uses sudo -u#uid to run ssfs causing a user mount.
So other causes can still cause the mount. But they can't access the
filesystem contents:


# ls -l /auto/mlin;
ls: cannot open directory /auto/mlin: Permission denied

#  ls -l /auto
ls: cannot access /auto/mlin: Permission denied
total 0
d????????? ? ? ? ?                ? mlin

Whatever those question marks mean?


Updated script

    # setuid-wrappers for fusermount
    export 
PATH=/var/setuid-wrappers:${pkgs.coreutils}/bin:${pkgs.sshfsFuse}/bin:${pkgs.openssh}/bin:${pkgs.procps}/bin:${pkgs.lsof}/bin:${pkgs.gnused}/bin/:${pkgs.sudo}/bin
    pids=`pgrep ssh-agent`
    # get uid=nr from arguments
    uid=$(echo "$@"| sed -n 's...@.*uid=\([0123456789]\+\)....@\1@p')
    connect(){
      sudo=$1; shift
      $sudo sshfs -o ssh_command="ssh -o NumberOfPasswordPrompts=0" "$@" \
       && exit 0 || true
    }
    # Change ownership of mountpoint. Ownership will be overridden when mount 
suceeds.
    # Otherwise fusermount can't access it (?!)
    chown $uid "$2"
    chmod u+w "$2"
    for p in $pids; do
      res="$(lsof -p $p -a -U  -Fnu)"
      user_id=$(echo "$res"| sed -n 's/^u//p')
      if [ "$user_id" == "$uid" ]; then
        export SSH_AUTH_SOCK=$(echo "$res"| sed -n 's/^n//p')
        export SSH_AGENT_PID=$p
        echo "trying to connect using ssh-agent $p $SSH_AUTH_SOCK" 1>&2
        # by using sudo -u allow accessing mount by target user - Is there a 
better way to achieve this??
        connect "sudo -E -u#$user_id" "$@"
        echo -n " .. failed" 1>&2
      fi
    done
    unset SSH_AGENT_PID; unset SSH_AUTH_SOCK

    # no ssh-agent found or they all belong to different users..
    # Try again. Maybe there is a key without password ?
    # You should not be using this!
    connect "" "$@"
    exit 1


Can I make automount create those key directories with user permissions
as well so that other users can't even cause a mount?

Is there a better way to restrict acess to a user only compared to using
sudo?

Marc Weber

_______________________________________________
autofs mailing list
[email protected]
http://linux.kernel.org/mailman/listinfo/autofs

Re: [autofs] sshfs and autofs

Reply via email to