10 Sep 2010 Show mounted partitions with a nice layout
This command shows the result of a mount command in a nice table layout
# mount | column -t
Result
/dev/sda1 on / type ext4 (rw,errors=remount-ro) /dev/sda2 on /home type ext4 (rw)
Posted by Hans-Henry Jakobsen
19 Jan 2009 Mount a RAID Reconstructor disk image in linux
This post came to life because I had gotten a image file of a 120GB linux ext2 RAID partition that I couldn’t access using Windows software. The partition had been rescued by RAID Reconstructor, a Windows software that can rebuild RAID arrays by combining the disks from the RAID and store it as one image file.
The solution was to use linux and try to mount it as a loop filesystem. My assumption was that the partition itself had an unknown offset, so I used this script to search and mount the partition. The script tries to mount the partition within the first 20000 blocks. I assume the block size is 512 bytes and I already know that the partition is formatted as ext2.
for ((i=0 ; $i < 20000 ; i=$i + 1)) ; do
mount -t ext2 -o loop,offset=$(($i * 512)) diskimage.img /mnt/point && break
done
If it succeeds you can issue the mount command to get the offset value to the mounted partition
# mount | grep diskimage /dev/loop0 on /mnt/point type ext2 (rw,offset=32256)
In my case the offset was 32256.
This script can also be used to mount a partition from a backup of your filesystem.
Example
This is my example disk I'm going to create an image of
# fdisk -l Disk /dev/hda: 80.0 GB, 80026361856 bytes 255 heads, 63 sectors/track, 9729 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot Start End Blocks Id System /dev/hda1 * 1 14 112423+ 83 Linux /dev/hda2 15 96 658665 83 Linux /dev/hda3 97 3394 26491185 83 Linux /dev/hda4 3395 9729 50885887+ f W95 Ext'd (LBA) /dev/hda5 3395 7218 30716248+ 83 Linux /dev/hda6 7219 8750 12305758+ 83 Linux /dev/hda7 8751 9533 6289416 83 Linux /dev/hda8 9534 9729 1574338+ 83 Linux
Create a backup image of your entire disk
# dd if=/dev/hda of=imagefile.img
To mount one of these partitions as a loop filesystem you can issue a mount command and tell it the right offset. Use the script above if you don't know the offset, it will take the guesswork for you and mount the partition.
Example of mounting /dev/hda3 if the offset is known
# mount -t ext3 -o loop,offset=49664 /dev/hda3 /mnt/point
Determining the offset is easy when you know the disk geometry have access to the file table.
In this case the hda3 partition has an offset of 512 bytes * 96 blocks = 49664.
EDIT
This post could have been avoided if I had known about the linux tool TestDisk. testDisk is a powerful free data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table). It could also be used as a forensic tool.
Tags: dd, mount, offset, RAID Reconstructor, testdisk
Posted by Hans-Henry Jakobsen
20 Feb 2008 Mounting remote filesystems using SSH and Debian
This post describes how to mount a remote filesystem through SSH using the shfs kernel module on a Debian Etch server. By doing this I can access the remote filesystem as if it was a local filesystem and also use my local tools and software.
This is a short description of how I made a remote filesystem accessible on my private server.
Download the needed software
# apt-get install shfs-source shfs-utils module-assistant
This step might not be needed on your system, but I didn’t have the needed software to build the kernel module
# module-assistant prepare
Use the module assistant to build the kernel module to match your local system (I use a 2.6 kernel but this whould work on a 2.4 kernel also)
module-assistant build shfs
Now you can install it
# module-assistant install shfs Selecting previously deselected package shfs-module-2.6.18-5-686. (Reading database ... 78212 files and directories currently installed.) Unpacking shfs-module-2.6.18-5-686 (from .../shfs-module-2.6.18-5-686_0.35-6.2+2.6.18.dfsg.1-17_i386.deb) ... Setting up shfs-module-2.6.18-5-686 (0.35-6.2+2.6.18.dfsg.1-17) ...
You might see some error messages but those are mostly harmless :) and can be ignored.
Now we can try to mount the remote filesystem
# mkdir /export/remotefs # shfsmount user@remotesystem.com /export/remotefs Password:
The remote filesystem should now be available after typing your password.
# cd /export/remotefs # ls
You will now see all your files in the remote filesystem as if they were on your local machine.
To unmount your filesystem
# cd / # umount /export/remotefs
This post could have been extended to use passwordless
Tags: Debian, Etch, mount, ssh
Posted by Hans-Henry Jakobsen
04 Oct 2007 Making /tmp non-executable
Many simple exploits that are used against machines, (via vulnerable PHP applications or local users, etc), rely upon being able to execute commands in /tmp. If this is a seperate partition or file system you can gain some protection by marking it non-executable. The common problem with this is that apt-get fails to work with such a setup.
When you mount a partition there are many flags that can be used, two interesting ones are:
noexec nosetuid
(A full list can be read as part of man mount).
The two flags are explained fully in the man page for mount, but briefly:
- noexec
- Do not allow execution of any binaries on the mounted file system.
- nosuid
- Do not allow set-user-identifier or set-group-identifier bits to take effect.
Mounting filesystems with these flags set raises the bar a little, but it doesn’t stop files from being executed. The Linux linker and loader will permit binaries to be run:
# Make /tmp non-executable root@earth:~# mount -o remount,noexec /tmp # Copy an executable into it root@earth:~# cp /bin/ls /tmp root@earth:~# chmod 755 /tmp/ls # Test it - the execution should fail. root@earth:~# /tmp/ls bash: /tmp/ls: Permission denied # But .. what's this? It still runs? root@earth:~# /lib/ld-linux.so.2 /tmp/ls Mail public_html # cleanup root@earth:~# rm /tmp/ls root@earth:~# mount -o remount,exec /tmp
With that in mind you might wonder what the point is? Well it foils any simplistic attack that relies upon putting a script in /tmp and running it. If they’ve got shell access they can probably figure it out, but an automated tool would be foiled – for the moment.
To make your system have a non-executable /tmp partition you must edit the way that it is mounted in the file /etc/fstab. Find the line that contains /tmp and change the defaults to read nosuid,noexec instead.
For example this is my updated /etc/fstab file:
/dev/sda3 /tmp ext3 noexec,nosuid 0 2
This will take effect the next time you mount the filesystem, you can do this now with:
mount -o remount /tmp
Very if it by running:
root@earth:/tmp# mount |grep /tmp /dev/sda3 on /tmp type ext3 (rw,noexec,nosuid)
The output line should contain the two words ‘noexec,nosuid’ in it. If this is in place then you’re covered.
The only problem now is that when apt-get upgrades your system it will sometimes place scripts inside the temp directory which will now not be executable.
The fix for this is to temporarily make the temporary directory executable before running apt-get and then remove the execution bits afterwards. This would be a troublesome thing to remember doing ourselves – but thankfully we can set it up to be automatic.
Add the following to the file /etc/apt/apt.conf:
DPkg::Pre-Install-Pkgs {"mount -o remount,exec /tmp";};
DPkg::Post-Invoke {"mount -o remount /tmp";};
In Debian Etch (4.0) the file is named /etc/apt/apt.conf.d/70debconf
This contains two lines, one running before any packing installation and one afterwards. They merely execute the commands required to add and remove the execute permissions on the /tmp
Source: http://www.debian-administration.org/articles/57
Tags: apt-get, Debian, fstab, mount, Ubuntu
Posted by Hans-Henry Jakobsen
09 May 2007 Script to unmount Busy Devices
First the script tries to umount the drive normally. If that fails, it tries to restart famd which is the most common problem. If that fails it tries to restart xinetd. If that fails it uses the command fuser -ki
#!/bin/bash
if [ `whoami` != "root" ]; then
echo "You must run this as root"
exit
fi
# testing args
if [ $# -ne 1 ]; then
echo "usage : $0 "
exit
fi
dir=$1
# first try unmounting it without doing anything special
testumount=`umount $dir 2>&1`
if [ `echo $testumount | grep "not mounted" | wc -l` -gt 0 ]; then
echo "$1 isn't mounted, exiting"
exit
fi
if [ `echo $testumount | grep "not found" | wc -l` -gt 0 ]; then
echo "$1 does not exists, exiting"
exit
fi
if [ `echo $testumount | grep busy | wc -l` -gt 0 ]; then
echo "Having trouble, checking famd..."
else
echo "unmounted $dir without any trouble..."
exit
fi
# check famd
if [ `ps -e |grep famd|wc -l` -gt 0 ]; then
/etc/init.d/famd restart
# try unmounting again
if [ `umount $dir 2>&1 | wc -l` -gt 0 ]; then
echo "I tried restarting famd, but that didn't work. checking xinetd"
else
echo "Unmounted $dir by restarting famd"
exit
fi
else
echo "famd isn't running so it couldn't be that.."
fi
# check xinetd
if [ `ps -e | grep xinetd | wc -l` -gt 0 ]; then
/etc/init.d/xinetd stop
# try unmounting again
if [ `umount $dir 2>&1 | wc -l` -lt 1 ]; then
/etc/init.d/xinetd start
echo "Unmounted $1 by restarting xinetd"
exit
fi
/etc/init.d/xinetd start
echo "I tried stopping xinetd, but that didn't work."
else
echo "xinetd isn't running so it couldn't be that.."
fi
echo
echo "I'm going to list processes that are using the folder you are
trying to umount. Answer whether you'd like to kill them or not.
You should look up each process before you answer. use the
following command in a separate shell:"
echo
echo " ps -e | grep
"
echo
echo "where
is the number of the process."
echo
fuser -ki $dir
echo
if [ `echo $testumount | grep busy | wc -l` -gt 0 ]; then
echo "OK, this is the last resort. Do you want to umount the volume using "
echo "the -l option? According to the umount man page -l means:"
echo
echo " Lazy unmount. Detach the filesystem from the filesystem
hierarchy now, and cleanup all references to the filesystem as
soon as it is not busy anymore. (Requires kernel 2.4.11 or later.)"
echo
echo "Use -l option? (y\n)"
read yn
if [ $yn == "y" ]; then
umount -l $dir
else
echo "OK. Sorry I couldn't help"
fi
else
echo "You're all good :)"
fi
exit
Tags: bash, fuser, grep, mount, wc, xinetd
Posted by Hans-Henry Jakobsen
