A chronological documentation test project, nothing serious, really!

19 Jan 2009 Mount a RAID Reconstructor disk image in linux

This post came to life because I had gotten a image file of a 120GB linux ext2 RAID partition that I couldn’t access using Windows software. The partition had been rescued by RAID Reconstructor, a Windows software that can rebuild RAID arrays by combining the disks from the RAID and store it as one image file.

The solution was to use linux and try to mount it as a loop filesystem. My assumption was that the partition itself had an unknown offset, so I used this script to search and mount the partition. The script tries to mount the partition within the first 20000 blocks. I assume the block size is 512 bytes and I already know that the partition is formatted as ext2.

for ((i=0 ; $i < 20000 ; i=$i + 1)) ; do
    mount -t ext2 -o loop,offset=$(($i * 512)) diskimage.img /mnt/point && break

If it succeeds you can issue the mount command to get the offset value to the mounted partition

# mount | grep diskimage

/dev/loop0 on /mnt/point type ext2 (rw,offset=32256)

In my case the offset was 32256.

This script can also be used to mount a partition from a backup of your filesystem.

This is my example disk I'm going to create an image of

# fdisk -l

Disk /dev/hda: 80.0 GB, 80026361856 bytes
255 heads, 63 sectors/track, 9729 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

   Device Boot      Start         End      Blocks   Id  System
/dev/hda1   *           1          14      112423+  83  Linux
/dev/hda2              15          96      658665   83  Linux
/dev/hda3              97        3394    26491185   83  Linux
/dev/hda4            3395        9729    50885887+   f  W95 Ext'd (LBA)
/dev/hda5            3395        7218    30716248+  83  Linux
/dev/hda6            7219        8750    12305758+  83  Linux
/dev/hda7            8751        9533     6289416   83  Linux
/dev/hda8            9534        9729     1574338+  83  Linux

Create a backup image of your entire disk

# dd if=/dev/hda of=imagefile.img

To mount one of these partitions as a loop filesystem you can issue a mount command and tell it the right offset. Use the script above if you don't know the offset, it will take the guesswork for you and mount the partition.

Example of mounting /dev/hda3 if the offset is known

# mount -t ext3 -o loop,offset=49664 /dev/hda3 /mnt/point

Determining the offset is easy when you know the disk geometry have access to the file table.
In this case the hda3 partition has an offset of 512 bytes * 96 blocks = 49664.

This post could have been avoided if I had known about the linux tool TestDisk. testDisk is a powerful free data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table). It could also be used as a forensic tool.

Tags: , , , , ,

Posted by

20 Feb 2008 Mounting remote filesystems using SSH and Debian

This post describes how to mount a remote filesystem through SSH using the shfs kernel module on a Debian Etch server. By doing this I can access the remote filesystem as if it was a local filesystem and also use my local tools and software.
This is a short description of how I made a remote filesystem accessible on my private server.

Download the needed software

# apt-get install shfs-source shfs-utils module-assistant

This step might not be needed on your system, but I didn’t have the needed software to build the kernel module

# module-assistant prepare

Use the module assistant to build the kernel module to match your local system (I use a 2.6 kernel but this whould work on a 2.4 kernel also)

module-assistant build shfs

Now you can install it

# module-assistant install shfs
Selecting previously deselected package shfs-module-2.6.18-5-686.
(Reading database ... 78212 files and directories currently installed.)
Unpacking shfs-module-2.6.18-5-686 (from .../shfs-module-2.6.18-5-686_0.35-6.2+2.6.18.dfsg.1-17_i386.deb) ...
Setting up shfs-module-2.6.18-5-686 (0.35-6.2+2.6.18.dfsg.1-17) ...

You might see some error messages but those are mostly harmless :) and can be ignored.
Now we can try to mount the remote filesystem

# mkdir /export/remotefs
# shfsmount /export/remotefs

The remote filesystem should now be available after typing your password.

# cd /export/remotefs
# ls

You will now see all your files in the remote filesystem as if they were on your local machine.
To unmount your filesystem

# cd /
# umount /export/remotefs

This post could have been extended to use passwordless

Tags: , , ,

Posted by

04 Oct 2007 Making /tmp non-executable

Many simple exploits that are used against machines, (via vulnerable PHP applications or local users, etc), rely upon being able to execute commands in /tmp. If this is a seperate partition or file system you can gain some protection by marking it non-executable. The common problem with this is that apt-get fails to work with such a setup.

When you mount a partition there are many flags that can be used, two interesting ones are:


(A full list can be read as part of man mount).

The two flags are explained fully in the man page for mount, but briefly:

  • noexec
    • Do not allow execution of any binaries on the mounted file system.
  • nosuid
    • Do not allow set-user-identifier or set-group-identifier bits to take effect.

Mounting filesystems with these flags set raises the bar a little, but it doesn’t stop files from being executed. The Linux linker and loader will permit binaries to be run:

# Make /tmp non-executable
root@earth:~# mount -o remount,noexec /tmp

# Copy an executable into it
root@earth:~# cp /bin/ls /tmp
root@earth:~# chmod 755 /tmp/ls

# Test it - the execution should fail.
root@earth:~# /tmp/ls
bash: /tmp/ls: Permission denied

# But .. what's this?  It still runs?
root@earth:~# /lib/ /tmp/ls
Mail  public_html  

# cleanup
root@earth:~# rm /tmp/ls
root@earth:~# mount -o remount,exec /tmp

With that in mind you might wonder what the point is? Well it foils any simplistic attack that relies upon putting a script in /tmp and running it. If they’ve got shell access they can probably figure it out, but an automated tool would be foiled – for the moment.

To make your system have a non-executable /tmp partition you must edit the way that it is mounted in the file /etc/fstab. Find the line that contains /tmp and change the defaults to read nosuid,noexec instead.

For example this is my updated /etc/fstab file:

/dev/sda3       /tmp              ext3  noexec,nosuid           0       2

This will take effect the next time you mount the filesystem, you can do this now with:

mount -o remount /tmp

Very if it by running:

root@earth:/tmp# mount |grep /tmp
/dev/sda3 on /tmp type ext3 (rw,noexec,nosuid)

The output line should contain the two words ‘noexec,nosuid’ in it. If this is in place then you’re covered.

The only problem now is that when apt-get upgrades your system it will sometimes place scripts inside the temp directory which will now not be executable.

The fix for this is to temporarily make the temporary directory executable before running apt-get and then remove the execution bits afterwards. This would be a troublesome thing to remember doing ourselves – but thankfully we can set it up to be automatic.

Add the following to the file /etc/apt/apt.conf:

DPkg::Pre-Install-Pkgs {"mount -o remount,exec /tmp";};
DPkg::Post-Invoke {"mount -o remount /tmp";};

In Debian Etch (4.0) the file is named /etc/apt/apt.conf.d/70debconf

This contains two lines, one running before any packing installation and one afterwards. They merely execute the commands required to add and remove the execute permissions on the /tmp


Tags: , , , ,

Posted by

09 May 2007 Script to unmount Busy Devices

First the script tries to umount the drive normally. If that fails, it tries to restart famd which is the most common problem. If that fails it tries to restart xinetd. If that fails it uses the command fuser -ki which asks you if you want to kill each process that’s using that folder. Be careful with this – you should know what each process is before you kill it. If that fails, probably because you didn’t kill all the processes, it asks you if you want to lazily unmount the volume, which removes the drive even though processes are still using it.


if [ `whoami` != "root" ]; then
      echo "You must run this as root"

# testing args
if [ $# -ne 1 ]; then
  echo "usage : $0 "


# first try unmounting it without doing anything special
testumount=`umount $dir 2>&1`
if [ `echo $testumount | grep "not mounted" | wc -l` -gt 0 ]; then
      echo "$1 isn't mounted, exiting"
if [ `echo $testumount | grep "not found" | wc -l` -gt 0 ]; then
  echo "$1 does not exists, exiting"

if [ `echo $testumount | grep busy | wc -l` -gt 0 ]; then
       echo "Having trouble, checking famd..."
     echo "unmounted $dir without any trouble..."

# check famd
if [ `ps -e |grep famd|wc -l` -gt 0 ]; then
      /etc/init.d/famd restart
      # try unmounting again
      if [ `umount $dir 2>&1 | wc -l` -gt 0 ]; then
            echo "I tried restarting famd, but that didn't work. checking xinetd"
            echo "Unmounted $dir by restarting famd"
      echo "famd isn't running so it couldn't be that.."

# check xinetd
if [ `ps -e | grep xinetd | wc -l` -gt 0 ]; then
      /etc/init.d/xinetd stop
      # try unmounting again
      if [ `umount $dir 2>&1 | wc -l` -lt 1 ]; then
            /etc/init.d/xinetd start
            echo "Unmounted $1 by restarting xinetd"
      /etc/init.d/xinetd start
      echo "I tried stopping xinetd, but that didn't work."

      echo "xinetd isn't running so it couldn't be that.."

echo "I'm going to list processes that are using the folder you are
trying to umount. Answer whether you'd like to kill them or not.
You should look up each process before you answer. use the
following command in a separate shell:"
echo "	ps -e | grep
echo "where 
 is the number of the process."
fuser -ki $dir
if [ `echo $testumount | grep busy | wc -l` -gt 0 ]; then
      echo "OK, this is the last resort. Do you want to umount the volume using "
      echo "the -l option? According to the umount man page -l means:"
      echo "	Lazy unmount. Detach the filesystem from the filesystem
      hierarchy now, and cleanup all references to the filesystem as
      soon as	it is not busy anymore.  (Requires kernel 2.4.11 or later.)"
      echo "Use -l option? (y\n)"
      read yn
      if [ $yn == "y" ]; then
            umount -l $dir
            echo "OK. Sorry I couldn't help"
      echo "You're all good :)"


Tags: , , , , ,

Posted by

07 May 2007 Mounting ISO Files

ISO images are files containing the data of a CD (almost bit per bit). They can be mounted, using the loopback device. ISO images can only be mounted read-only (use mkisofs to create images).

Kernel Requirements

To mount ISO images you need the following in your kernel(as module or builtin):

  • loop-back filesystem support (under Device Drivers – Block devices in kernel 2.6)
  • ISO 9660 CDROM file system support (under File systems – CD-ROM/DVD Filesystems in kernel 2.6)

You also might want this for mounting non-linux ISO images:

  • Microsoft Joliet CDROM extensions (under File systems – CD-ROM/DVD Filesystems in kernel 2.6)

Linux Kernel Configuration: Joliet CDROM Extensions(2.6)

File Fystems –> CD-ROM/DVD Filesystems
< *> ISO 9660 CDROM file system support
[*] Microsoft Joliet CDROM extensions


To mount the ISO images, you’ll need to have root access. Login as root or use sudo, and execute:

mount -t iso9660 -o loop,user image.iso /wheretomount

Drop ,user if you don’t want users to access the ISO files.

Note: If this fails with an error concerning /dev/loop then as root issue the command:

# modprobe loop

Alternatively you may want to add loop to the list of modules that you autoload at boot:

# nano -w /etc/modules.autoload.d/kernel-2.6

and add loop to the bottom of your list of modules.

Hint 1: You can use cdemu to mount BIN images (It’s in portage). You can also use bin2iso to convert them to ISO (also in Portage).

Hint 2: You can use mdf2iso to convert MDF/MDS files to ISO (It’s in portage). Or you can mount a .mdf file with:

mount image.mdf /wheretomount -o loop=/dev/loop0

Hint 3:
You can use nrg2iso to convert Nero’s .nrg files to ISO (It’s in portage). Or you can mount a .nrg file with:

mount -o loop,offset=307200 image.nrg /wheretomount

Hint 4: You can use ccd2iso to convert Clone CD’s .img files to ISO (It’s in portage).


SVCD and VCD ISO files can be played directly using mplayer or converted using mencoder.

Tags: , , , ,

Posted by