Re: [patch 7/8] allow unprivileged mounts

Andi Kleen <andi@xxxxxxxxxxxxxx> writes:

Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> writes:

On Fri, 20 Apr 2007 12:25:39 +0200 Miklos Szeredi <miklos@xxxxxxxxxx> wrote:

Define a new fs flag FS_SAFE, which denotes, that unprivileged
mounting of this filesystem may not constitute a security problem.

Since most filesystems haven't been designed with unprivileged
mounting in mind, a thorough audit is needed before setting this flag.

Practically speaking, is there any realistic likelihood that any filesystem
apart from FUSE will ever use this?

If it worked for mount --bind for any fs I could see uses of this. I haven't
thought
through the security implications though, so it might not work.

Binding a directory that you have access to in other was is essentially
the same thing as a symlink. So there are no real security implications
there. The only problem case I can think of is removal media that you
want to remove but someone has made a bind mount to. But that is
essentially the same case as opening a file so there are no new
real issues. Although our diagnostic tools will likely fall behind
for a bit.

We handle the security implications by assigning an owner to all mounts
and only allowing you to add additional mounts on top of a mount you
already own.

If you have the right capabilities you can create a mount owned by
another user.

For a new mount if you don't have the appropriate capabilities nodev
and nosuid will be forced.

Initial super block creation is a lot more delicate so we need the
FS_SAFE flag, to know that the kernel is prepared to deal with the
crazy things that a hostile user space is prepared to do.

Eric
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Relevant Pages

  • Re: freebsd-security Digest, Vol 187, Issue 4
    ... I was so transfixed on Josh stating that the attacker could as well ... just mount a filesystem with suid root binaries and how that would be ... more useful than a buffer overflow in the filesystem driver. ... In the past we have considered remote DOS type attacks to be a security ...
    (FreeBSD-Security)
  • [PATCH] (1/3) SELinux context mount support - LSM/FS
    ... , and this feature allows security contexts to be assigned ... labeling on a filesystem is untrusted or unwanted for some reason (e.g. ... module to copy security-specific mount data once the superblock has been ... +static inline void free_secdata ...
    (Linux-Kernel)
  • Re: mount() function problem !
    ... mount() attaches the filesystem specified by source (which is often a device name, ... point within a file system. ... details of the options available for each filesystem type. ... Specifies the journalling mode for file data. ...
    (comp.lang.c)
  • [Full-disclosure] BSD Securelevels: Circumventing protection of files flagged immutable
    ... By mounting an arbitrary filesystem, it is possible to mask files ... different levels of security. ... With Linux an attacker can even intercept the password input to lower ... Administrators should furthermore not rely on securelevels ...
    (Full-Disclosure)
  • BSD Securelevels: Circumventing protection of files flagged immutable
    ... By mounting an arbitrary filesystem, it is possible to mask files ... different levels of security. ... With Linux an attacker can even intercept the password input to lower ... Administrators should furthermore not rely on securelevels ...
    (Bugtraq)