-
Notifications
You must be signed in to change notification settings - Fork 0
/
udevil.conf
329 lines (285 loc) · 17.4 KB
/
udevil.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
##############################################################################
#
# udevil configuration file /etc/udevil/udevil.conf
#
# This file controls what devices, networks, and files users may mount and
# unmount via udevil (set suid).
#
# IMPORTANT: IT IS POSSIBLE TO CREATE SERIOUS SECURITY PROBLEMS IF THIS FILE
# IS MISCONFIGURED - EDIT WITH CARE
#
# Note: For greater control for specific users, including root, copy this
# file to /etc/udevil/udevil-user-USERNAME.conf replacing USERNAME with the
# desired username (eg /etc/udevil/udevil-user-jim.conf).
#
# Format:
# OPTION = VALUE[, VALUE, ...]
#
# DO NOT USE QUOTES except literally
# Lines beginning with # are ignored
#
##############################################################################
# To log all uses of udevil, set log_file to a file path:
# log_file = /var/log/udevil.log
# Approximate number of days to retain log entries (0=forever, max=60):
log_keep_days = 10
# allowed_types determines what fstypes can be passed by a user to the u/mount
# program, what device filesystems may be un/mounted implicitly, and what
# network filesystems may be un/mounted.
# It may also include the 'file' keyword, indicating that the user is allowed
# to mount files (eg an ISO file). The $KNOWN_FILESYSTEMS variable may
# be included to include common local filesystems as well as those listed in
# /etc/filesystems and /proc/filesystems.
# allowed_types_USERNAME, if present, is used to override allowed_types for
# the specific user 'USERNAME'. For example, to allow user 'jim' to mount
# only vfat filesystems, add:
# allowed_types_jim = vfat
# Setting allowed_types = * does NOT allow all types, as this is a security
# risk, but does allow all recognized types.
# allowed_types = $KNOWN_FILESYSTEMS, file, cifs, smbfs, nfs, curlftpfs, ftpfs, sshfs, tmpfs, ramfs
allowed_types = $KNOWN_FILESYSTEMS, file
# allowed_users is a list of users permitted to mount and unmount with udevil.
# Wildcards (* or ?) may be used in the usernames. To allow all users,
# specify "allowed_users=*". UIDs may be included using the form UID=1000.
# For example: allowed_users = carl, UID=1000, pre*
# Also note that permission to execute udevil may be limited to users belonging
# to the group that owns /usr/bin/udevil, such as 'plugdev' or 'storage',
# depending on installation.
# allowed_users_FSTYPE, if present, is used to override allowed_users when
# mounting or unmounting a specific fstype (eg nfs, ext3, file).
# Note that when mounting a file, fstype will always be 'file' regardless of
# the internal fstype of the file.
# For example, to allow only user 'bob' to mount nfs shares, add:
# allowed_users_nfs = bob
# The root user is NOT automatically allowed to use udevil in some cases unless
# listed here (except for unmounting anything or mounting fstab devices).
allowed_users = *
# allowed_groups is a list of groups permitted to mount and unmount with
# udevil. The user MUST belong to at least one of these groups. Wildcards
# or GIDs may NOT be used in group names, but a single * may be used to allow
# all groups.
# Also note that permission to execute udevil may be limited to users belonging
# to the group that owns /usr/bin/udevil, such as 'plugdev' or 'storage',
# depending on installation.
# allowed_groups_FSTYPE, if present, is used to override allowed_groups when
# mounting or unmounting a specific fstype (eg nfs, ext3, file). For example,
# to allow only members of the 'network' group to mount smb and nfs shares,
# use both of these lines:
# allowed_groups_smbfs = network
# allowed_groups_nfs = network
# The root user is NOT automatically allowed to use udevil in some cases unless
# listed here (except for unmounting anything or mounting fstab devices).
allowed_groups = *
# allowed_media_dirs specifies the media directories in which user mount points
# may be located. The first directory which exists and does not contain a
# wildcard will be used as the default media directory (normally /media or
# /run/media/$USER).
# The $USER variable, if included, will be replaced with the username of the
# user running udevil. Wildcards may also be used in any directory EXCEPT the
# default. Wildcards will not match a /
# allowed_media_dirs_FSTYPE, if present, is used to override allowed_media_dirs
# when mounting or unmounting a specific fstype (eg ext2, nfs). For example,
# to cause /media/network to be used as the default media directory for
# nfs and ftpfs mounts, use these two lines:
# allowed_media_dirs_nfs = /media/network, /media, /run/media/$USER
# allowed_media_dirs_ftpfs = /media/network, /media, /run/media/$USER
# NOTE: If you want only the user who mounted a device to have access to it
# and be allowed to unmount it, specify /run/media/$USER as the first
# allowed media directory.
# IMPORTANT: If an allowed file is mounted to a media directory, the user may
# be permitted to unmount its associated loop device even though internal.
# INCLUDING /MNT HERE IS NOT RECOMMENDED. ALL ALLOWED MEDIA DIRECTORIES
# SHOULD BE OWNED AND WRITABLE ONLY BY ROOT.
allowed_media_dirs = /media, /run/media/$USER
# allowed_devices is the first criteria for what block devices users may mount
# or unmount. If a device is not listed in allowed_devices, it cannot be
# un/mounted (unless in fstab). However, even if a device is listed, other
# factors may prevent its use. For example, access to system internal devices
# will be denied to normal users even if they are included in allowed_devices.
# allowed_devices_FSTYPE, if present, is used to override allowed_devices when
# mounting or unmounting a specific fstype (eg ext3, ntfs). For example, to
# prevent all block devices containing an ext4 filesystem from being
# un/mounted use:
# allowed_devices_ext4 =
# Note: Wildcards may be used, but a wildcard will never match a /, except
# for "allowed_devices=*" which allows any device. The recommended setting is
# allowed_devices = /dev/*
# WARNING: ALLOWING USERS TO MOUNT DEVICES OUTSIDE OF /dev CAN CAUSE SERIOUS
# SECURITY PROBLEMS. DO NOT ALLOW DEVICES IN /dev/shm
allowed_devices = /dev/*
# allowed_internal_devices causes udevil to treat any listed block devices as
# removable, thus allowing normal users to un/mount them (providing they are
# also listed in allowed_devices).
# allowed_internal_devices_FSTYPE, if present, is used to override
# allowed_internal_devices when mounting or unmounting a specific fstype
# (eg ext3, ntfs). For example, to allow block devices containing a vfat
# filesystem to be un/mounted even if they are system internal devices, use:
# allowed_internal_devices_vfat = /dev/sdb*
# Some removable esata drives look like internal drives to udevil. To avoid
# this problem, they can be treated as removable with this setting.
# WARNING: SETTING A SYSTEM DEVICE HERE CAN CAUSE SERIOUS SECURITY PROBLEMS.
# allowed_internal_devices =
# allowed_internal_uuids and allowed_internal_uuids_FSTYPE work similarly to
# allowed_internal_devices, except that UUIDs are specified instead of devices.
# For example, to allow un/mounting of an internal filesystem based on UUID:
# allowed_internal_uuids = cc0c4489-8def-1e5b-a304-ab87c3cb626c0
# WARNING: SETTING A SYSTEM DEVICE HERE CAN CAUSE SERIOUS SECURITY PROBLEMS.
# allowed_internal_uuids =
# forbidden_devices is used to prevent block devices from being un/mounted
# even if other settings would allow them (except devices in fstab).
# forbidden_devices_FSTYPE, if present, is used to override
# forbidden_devices when mounting or unmounting a specific fstype
# (eg ext3, ntfs). For example, to prevent device /dev/sdd1 from being
# mounted when it contains an ntfs filesystem, use:
# forbidden_devices_ntfs = /dev/sdd1
# NOTE: device node paths are canonicalized before being tested, so forbidding
# a link to a device will have no effect.
forbidden_devices =
# allowed_networks determines what hosts may be un/mounted by udevil users when
# using nfs, cifs, smbfs, curlftpfs, ftpfs, or sshfs. Hosts may be specified
# using a hostname (eg myserver.com) or IP address (192.168.1.100).
# Wildcards may be used in hostnames and IP addresses, but CIDR notation
# (192.168.1.0/16) is NOT supported. IP v6 is supported. For example:
# allowed_networks = 127.0.0.1, 192.168.1.*, 10.0.0.*, localmachine, *.okay.com
# Or, to prevent un/mounting of any network shares, set:
# allowed_networks =
# allowed_networks_FSTYPE, if present, is used to override allowed_networks
# when mounting or unmounting a specific network fstype (eg nfs, cifs, sshfs,
# curlftpfs). For example, to limit nfs and samba shares to only local
# networks, use these two lines:
# allowed_networks_nfs = 192.168.1.*, 10.0.0.*
# allowed_networks_cifs = 192.168.1.*, 10.0.0.*
allowed_networks = *
# forbidden_networks and forbidden_networks_FSTYPE are used to specify networks
# that are never allowed, even if other settings allow them (except fstab).
# NO REVERSE LOOKUP IS PERFORMED, so including bad.com will only have an effect
# if the user uses that hostname. IP lookup is always performed, so forbidding
# an IP address will also forbid all corresponding hostnames.
forbidden_networks =
# allowed_files is used to determine what files in what directories may be
# un/mounted. A user must also have read permission on a file to mount it.
# Note: Wildcards may be used, but a wildcard will never match a /, except
# for "allowed_files=*" which allows any file. For example, to allow only
# files in the /share directory to be mounted, use:
# allowed_files = /share/*
# NOTE: Specifying allowed_files_FSTYPE will NOT work because the fstype of
# files is always 'file'.
allowed_files = *
# forbidden_files is used to specify files that are never allowed, even if
# other settings allow them (except fstab). Specify a full path.
# Note: Wildcards may be used, but a wildcard will never match a /, except
# for "forbidden_files = *".
# NOTE: file paths are canonicalized before being tested, so forbidding
# a link to a file will have no effect.
forbidden_files =
# default_options specifies what options are always included when performing
# a mount, in addition to any options the user may specify.
# Note: When a device is present in /etc/fstab, and the user does not specify
# a mount point, the device is mounted with normal user permissions using
# the fstab entry, without these options.
# default_options_FSTYPE, if present, is used to override default_options
# when mounting a specific fstype (eg ext2, nfs).
# The variables $USER, $UID, and $GID are changed to the user's username, UID,
# and GID.
# FOR GOOD SECURITY, default_options SHOULD ALWAYS INCLUDE: nosuid,noexec,nodev
# WARNING: OPTIONS PRESENT OR MISSING CAN CAUSE SERIOUS SECURITY PROBLEMS.
default_options = nosuid, noexec, nodev, noatime
default_options_file = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID, ro
# mount iso9660 with 'ro' to prevent mount read-only warning
default_options_iso9660 = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID, ro, utf8
default_options_udf = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID
default_options_vfat = nosuid, noexec, nodev, noatime, fmask=0022, dmask=0022, uid=$UID, gid=$GID, utf8
default_options_msdos = nosuid, noexec, nodev, noatime, fmask=0022, dmask=0022, uid=$UID, gid=$GID
default_options_umsdos = nosuid, noexec, nodev, noatime, fmask=0022, dmask=0022, uid=$UID, gid=$GID
default_options_ntfs = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID, utf8
default_options_cifs = nosuid, noexec, nodev, uid=$UID, gid=$GID, file_mode=0644, dir_mode=0755
default_options_smbfs = nosuid, noexec, nodev, uid=$UID, gid=$GID
default_options_sshfs = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID, nonempty, allow_other
default_options_curlftpfs = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID, nonempty, allow_other
default_options_ftpfs = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID
default_options_tmpfs = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID
default_options_ramfs = nosuid, noexec, nodev, noatime, uid=$UID, gid=$GID
# allowed_options determines all options that a user may specify when mounting.
# All the options used in default_options above must be included here too, or
# they will be rejected. If the user attempts to use an option not included
# here, an error will result. Wildcards may be used.
# allowed_options_FSTYPE, if present, is used to override allowed_options
# when mounting a specific fstype (eg ext2, nfs).
# The variables $USER, $UID, and $GID are changed to the user's username, UID,
# and GID.
# If you want to forbid remounts, remove 'remount' from here.
# WARNING: OPTIONS HERE CAN CAUSE SERIOUS SECURITY PROBLEMS - CHOOSE CAREFULLY
allowed_options = nosuid, noexec, nodev, noatime, fmask=0022, dmask=0022, uid=$UID, gid=$GID, ro, rw, sync, flush, iocharset=*, utf8, remount
allowed_options_nfs = nosuid, noexec, nodev, noatime, ro, rw, sync, remount, port=*, rsize=*, wsize=*, hard, proto=*, timeo=*, retrans=*
allowed_options_cifs = nosuid, noexec, nodev, ro, rw, remount, port=*, user=*, username=*, pass=*, password=*, guest, domain=*, uid=$UID, gid=$GID, credentials=*, file_mode=*, dir_mode=*
allowed_options_smbfs = nosuid, noexec, nodev, ro, rw, remount, port=*, user=*, username=*, pass=*, password=*, guest, domain=*, uid=$UID, gid=$GID, credentials=*
allowed_options_sshfs = nosuid, noexec, nodev, noatime, ro, rw, uid=$UID, gid=$GID, nonempty, allow_other, idmap=user, BatchMode=yes, port=*
allowed_options_curlftpfs = nosuid, noexec, nodev, noatime, ro, rw, uid=$UID, gid=$GID, nonempty, allow_other, user=*
allowed_options_ftpfs = nosuid, noexec, nodev, noatime, ro, rw, port=*, user=*, pass=*, ip=*, root=*, uid=$UID, gid=$GID
# mount_point_mode, if present and set to a non-empty value, will cause udevil
# to set the mode (permissions) on the moint point after mounting If not
# specified or if left empty, the mode is not changed. Mode must be octal
# starting with a zero (0755).
# mount_point_mode_FSTYPE, if present, is used to override mount_point_mode
# when mounting a specific fstype (eg ext2, nfs).
# NOT SETTING A MODE CAN HAVE SECURITY IMPLICATIONS FOR SOME FSTYPES
mount_point_mode = 0755
# don't set a mode for some types:
mount_point_mode_sshfs =
mount_point_mode_curlftpfs =
mount_point_mode_ftpfs =
# Use the settings below to change the default locations of programs used by
# udevil, or (advanced topic) to redirect commands to your scripts.
# When substituting scripts, make sure they are root-owned and accept the
# options used by udevil (for example, the mount_program must accept --fake,
# -o, -v, and other options valid to mount.)
# Be sure to specify the full path and include NO OPTIONS or other arguments.
# These programs may also be specified as configure options when building
# udevil.
# THESE PROGRAMS ARE RUN AS ROOT
# mount_program = /bin/mount
# umount_program = /bin/umount
# losetup_program = /sbin/losetup
# setfacl_program = /usr/bin/setfacl
# validate_exec specifies a program or script which provides additional
# validation of a mount or unmount command, beyond the checks performed by
# udevil. The program is run as a normal user (if root runs udevil,
# validate_exec will NOT be run). The program is NOT run if the user is
# mounting a device without root priviledges (a device in fstab).
# The program is passed the username, a printable description of what is
# happening, and the entire udevil command line as the first three arguments.
# The program must return an exit status of 0 to allow the mount or unmount
# to proceed. If it returns non-zero, the user will be denied permission.
# For example, validate_exec might specify a script which notifies you
# of the command being run, or performs additional steps to authenticate the
# user.
# Specify a full path to the program, with NO options or arguments.
# validate_exec =
# validate_rootexec works similarly to validate_exec, except that the program
# is run as root. validate_rootexec will also be run if the root user runs
# udevil. If both validate_exec and validate_rootexec are specified,
# validate_rootexec will run first, followed by validate_exec.
# The program must return an exit status of 0 to allow the mount or unmount
# to proceed. If it returns non-zero, the user will be denied permission.
# Unless you are familiar with writing root scripts, it is recommended that
# rootexec settings NOT be used, as it is easy to inadvertently open exploits.
# THIS PROGRAM IS ALWAYS RUN AS ROOT, even if the user running udevil is not.
# validate_rootexec =
# success_exec is run after a successful mount, remount, or unmount. The
# program is run as a normal user (if root runs udevil, success_exec
# will NOT be run).
# The program is passed the username, a printable description of what action
# was taken, and the entire udevil command line as the first three arguments.
# The program's exit status is ignored.
# For example, success_exec might run a script which informs you of what action
# was taken, and might perform further actions.
# Specify a full path to the program, with NO options or arguments.
# success_exec =
# success_rootexec works similarly to success_exec, except that the program is
# run as root. success_rootexec will also be run if the root user runs udevil.
# If both success_exec and success_rootexec are specified, success_rootexec
# will run first, followed by success_exec.
# Unless you are familiar with writing root scripts, it is recommended that
# rootexec settings NOT be used, as it is easy to inadvertently open exploits.
# THIS PROGRAM IS ALWAYS RUN AS ROOT, even if the user running udevil is not.
# success_rootexec =