Delegating mount/umount Privileges
Recently, I was doing some file system changes. Obviously, I wanted to run them as an unprivileged user. Unfortunately, the test involved mounting and unmounting a filesystem (tmpfs to be specific). At first I was going to set up a sudo rule to allow mount and umount to run without asking for a password. Then I remembered that I should be able to give the unprivileged user the additional privileges. It turns out that there is only one privilege (sys_mount) necessary to delegate…and it is easy to do!
$ usermod -K defaultpriv=basic,sys_mount jeffpc
Then it’s a matter of logging out and back in. We can check using ppriv:
$ ppriv $$ 925: bash flags = <none> E: basic,sys_mount I: basic,sys_mount P: basic,sys_mount L: all
At this point, mounting and unmounting works without sudo or similar user switching:
$ mkdir tmp $ mount -F tmpfs none /tmp/tmp $ df -h /tmp/tmp Filesystem Size Used Avail Use% Mounted on swap 2.6G 0 2.6G 0% /tmp/tmp