How can I prevent users from mounting FAT32 partition?

The harddisk in my computer is divided into 2 partitions.
- The first partition is FAT32 and installed Windows 98
- The second partition is installed Linux

Can I disallow users to mount the FAT32 partition when the computer is
running Linux?

I don't know much about Linux security, therefore the Linux may be hacked
when it is connected to Internet.
I don't mind the data in the Linux partition. However, the first partition
contains some important data.



* ~ let us linux ~ *


-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 80,000 Newsgroups - 16 Different Servers! =-----

I fear that a hacker would gain admin rights in my computer.
Then he can amend the configuration to allow him to mount the partition.
Can I disallow all users, including root, to mount the partition?

"Juha Kustaa Siltala" <jsiltala@cc.helsinki.fi> ¼¶¼g©ó¶l¥ó
news:slrnbgq0k0.gr4.jsiltala@kruuna.Helsinki.FI...
> In article <3f0db87a$1@lungfunggdn.org>, Fool wrote:
> > The harddisk in my computer is divided into 2 partitions.
> > - The first partition is FAT32 and installed Windows 98
> > - The second partition is installed Linux
> >
> > Can I disallow users to mount the FAT32 partition when the computer is
> > running Linux?
>
> Edit /etc/fstab. Remove options like user, owner, auto... Read man fstab
> first!
>
> --
> Juha Siltala


* ~ let us linux ~ *


-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 80,000 Newsgroups - 16 Different Servers! =-----

Fool wrote:

> I fear that a hacker would gain admin rights in my computer.
> Then he can amend the configuration to allow him to mount the partition.
> Can I disallow all users, including root, to mount the partition?
>
> "Juha Kustaa Siltala" <jsiltala@cc.helsinki.fi> ¼¶¼g©ó¶l¥ó
> news:slrnbgq0k0.gr4.jsiltala@kruuna.Helsinki.FI...
>
>>In article <3f0db87a$1@lungfunggdn.org>, Fool wrote:
>>
>>>The harddisk in my computer is divided into 2 partitions.
>>>- The first partition is FAT32 and installed Windows 98
>>>- The second partition is installed Linux
>>>
>>>Can I disallow users to mount the FAT32 partition when the computer is
>>>running Linux?
>>
>>Edit /etc/fstab. Remove options like user, owner, auto... Read man fstab
>>first!
>>
>>--
>>Juha Siltala

Yes.

Put it in a hot-swap drive bay and take it out. Nothing less than
physical removal or screwing with the hardware by other means can
protect a standard, unencrypted file system from a hacker who's gained
root access to your machine.

Juha Kustaa Siltala wrote:
> In article <y6acnf1xp9jJXpCiXTWQlg@giganews.com>, Mark Cudworth wrote:
>
>>"Fool" <fool@tom.com> writes:
>>
>>>I fear that a hacker would gain admin rights in my computer.
>>>Then he can amend the configuration to allow him to mount the partition.
>>>Can I disallow all users, including root, to mount the partition?
>>
>>If you don't mind preventing anyone from mounting the partition, recompile
>>your kernel without support for FAT32 file systems. (Don't even include
>>support as a module.) This won't prevent the committed cracker from
>>seeing the data on the partition if he/she has root access, but they won't
>>be able to *mount* the partition and it will be much more difficult. Make
>>sure they can't install a new kernel and reboot remotely.
>
>
> Reading unmounted FAT32 is very hard to do (or at least that's what I
> think :)), most crackers are not very smart.

You're on very thin ice there. :^)

Of all the standard RW filesystems, FAT32 is probably the easiest
to read with a hex editor. Especially if it has been defragmented
recently.

Even if you don't know anything about the filesystem at all, just
try the command below for a laugh.

> strings /dev/hda

Kind regards,

Iwo

Doing so would be very difficult if the computer has a CD ROM drive and
others have physical access to it. Tools like Operator 3.2 boot's a full
blown linux with security tools and exploits. Not only will Operator allow
you to mount the FAT32 filesystems, you could use some of the tools on the
CD to crack the SAM (NT) password.

Don't waste your time unless you can physically keep users from having
access to the box.

L8R
Bud

"Fool" <fool@tom.com> wrote in message news:3f0db87a$1@lungfunggdn.org...
> The harddisk in my computer is divided into 2 partitions.
> - The first partition is FAT32 and installed Windows 98
> - The second partition is installed Linux
>
> Can I disallow users to mount the FAT32 partition when the computer is
> running Linux?
>
> I don't know much about Linux security, therefore the Linux may be hacked
> when it is connected to Internet.
> I don't mind the data in the Linux partition. However, the first partition
> contains some important data.
>
>
>
> * ~ let us linux ~ *
>
>
> -----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
> http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
> -----== Over 80,000 Newsgroups - 16 Different Servers! =-----

P.S. You can get the Operator 3.2 image from
http://www.ussysadmin.com/operator

Bud

"Bud" <bud@swoop.2y.net> wrote in message
news:_2KPa.38653$N7.4870@sccrnsc03...
> Doing so would be very difficult if the computer has a CD ROM drive and
> others have physical access to it. Tools like Operator 3.2 boot's a full
> blown linux with security tools and exploits. Not only will Operator allow
> you to mount the FAT32 filesystems, you could use some of the tools on the
> CD to crack the SAM (NT) password.
>
> Don't waste your time unless you can physically keep users from having
> access to the box.
>
> L8R
> Bud
>
> "Fool" <fool@tom.com> wrote in message news:3f0db87a$1@lungfunggdn.org...
> > The harddisk in my computer is divided into 2 partitions.
> > - The first partition is FAT32 and installed Windows 98
> > - The second partition is installed Linux
> >
> > Can I disallow users to mount the FAT32 partition when the computer is
> > running Linux?
> >
> > I don't know much about Linux security, therefore the Linux may be
hacked
> > when it is connected to Internet.
> > I don't mind the data in the Linux partition. However, the first
partition
> > contains some important data.
> >
> >
> >
> > * ~ let us linux ~ *
> >
> >
> > -----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
> > http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
> > -----== Over 80,000 Newsgroups - 16 Different Servers! =-----
>
>

< Iwo Mergler
>Juha Kustaa Siltala wrote:
>>In article <y6acnf1xp9jJXpCiXTWQlg@giganews.com>, Mark Cudworth wrote:
>>>"Fool" <fool@tom.com> writes:

>>>>I fear that a hacker would gain admin rights in my computer.

>>>recompile your kernel without support for FAT32 file systems. (Don't
>>>even include support as a module.) This won't prevent the committed
>>>cracker from seeing the data on the partition if he/she has root access,

>>Reading unmounted FAT32 is very hard to do (or at least that's what I
>>think :)), most crackers are not very smart.

>Of all the standard RW filesystems, FAT32 is probably the easiest
>to read with a hex editor. Especially if it has been defragmented
>recently.
>
>Even if you don't know anything about the filesystem at all, just
>try the command below for a laugh.
>
> > strings /dev/hda

Here is a tutorial for beginner SK who doesn't have the knowledge of
filesystems nor forensics and file has been fragmented. `man mtools`
wrote "without mounting". If intruder got root and rights of root
are not restricted, they can read the partition even kernel doesn't
support FAT32.

---[ ~/.mtoolsrc ]---
drive c: file="/dev/hda16"

# /usr/bin/mdir -a c:
Volume in drive C is A16
Directory for C:/
RECYCLED <DIR>

$ /sbin/lsmod|grep fat

--
Regards, RainbowHat. To spoof or not to spoof, that is the IPv4 packet.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7

>>>>> "Iwo" == Iwo Mergler <"Iwo Mergler"> writes:

Iwo> Juha Kustaa Siltala wrote:
>> In article <y6acnf1xp9jJXpCiXTWQlg@giganews.com>, Mark Cudworth
>> wrote:
>>> "Fool" <fool@tom.com> writes:
>>>
>>>> I fear that a hacker would gain admin rights in my computer.
>>>> Then he can amend the configuration to allow him to mount the
>>>> partition. Can I disallow all users, including root, to
>>>> mount the partition?

Impossible. Root is the superman.


>>> If you don't mind preventing anyone from mounting the
>>> partition, recompile your kernel without support for FAT32
>>> file systems.

I can simply copy the vfat.o from another Linux installation (of the
same kernel version number), insmod vfat.o and voila!


>> (Don't even include support as a module.)

I can compile the module on another machine and the copy the .o file
to this victim machine. I can even compile it on the victim machine.


>>> This won't prevent the committed cracker from seeing the data
>>> on the partition if he/she has root access, but they won't be
>>> able to *mount* the partition and it will be much more
>>> difficult.

See above.


>>> Make sure they can't install a new kernel and reboot remotely.

There is no need to install a new kernel nor reboot. Just copy a
module file, which is just a .o (object) file and load it with insmod.


>>> Reading unmounted FAT32 is very hard to do (or at least that's
>>> >> what I think :)), most crackers are not very smart.

It's quite easy. I wrote a FAT16 fsck as a homework programming
assignment during my second year of undergraduate studies.

And you don't need to write it yourself, too. There is "mtools". It
is installed on most Linux systems, and also many Solaris
installations.



Iwo> Of all the standard RW filesystems, FAT32 is probably the
Iwo> easiest to read with a hex editor. Especially if it has been
Iwo> defragmented recently.

Yeah. But 'mtools' is most likely there already installed on the
victim machine.


Iwo> Even if you don't know anything about the filesystem at all,
Iwo> just try the command below for a laugh.

>> strings /dev/hda

I suppose it should be /dev/hda1 or something like that? Anyway, it
doesn't matter.


--
Lee Sau Dan §õ¦u´°(Big5) ~{@nJX6X~}(HZ)

E-mail: danlee@informatik.uni-freiburg.de
Home page: http://www.informatik.uni-freiburg.de/~danlee

Lee Sau Dan <danlee@informatik.uni-freiburg.de> writes:
>
> >>> Make sure they can't install a new kernel and reboot remotely.
>
>There is no need to install a new kernel nor reboot. Just copy a
>module file, which is just a .o (object) file and load it with insmod.

Yes, there *is* a need to reboot, as insmod is useless on machines without
module support. I'm not talking about just leaving support for VFAT out of
the kernel -- I'm talking about leaving support for *modules* out of the
kernel, as well. In order for VFAT support to be added, a new kernel
would have to be installed.

--
Mark Cudworth

Fool wrote:

> The harddisk in my computer is divided into 2 partitions.
> - The first partition is FAT32 and installed Windows 98
> - The second partition is installed Linux
>
> Can I disallow users to mount the FAT32 partition when the computer is
> running Linux?
>
> I don't know much about Linux security, therefore the Linux may be hacked
> when it is connected to Internet.
> I don't mind the data in the Linux partition. However, the first partition
> contains some important data.
>
> * ~ let us linux ~ *
>
> -----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
> http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
> -----== Over 80,000 Newsgroups - 16 Different Servers! =-----

You might also "hide" the FAT32 partitions with LILO configuration
options. But this still will not thwart a determined hacker. This process
allows LILO to temporarily munge the partition types known to be in
the master boot record and partition boot blocks of your hard disks.

- Steve Hathaway