tech-kern: Re: kern/7129: normal user can bypass mount 'noexec' flags

Subject: Re: kern/7129: normal user can bypass mount 'noexec' flags
To: Chris G. Demetriou <cgd@netbsd.org>
From: Bill Studenmund <wrstuden@nas.nasa.gov>
List: tech-kern
Date: 03/11/1999 17:40:46

On 11 Mar 1999, Chris G. Demetriou wrote:

> Bill Studenmund <wrstuden@nas.nasa.gov> writes:
> > I think it would be simpler to just add the smarts into the mount
> > commands. If each one along the way starts with the underlying fs's flags,
> > adds ones it considers important, and only lets root delete flags, then we
> > should be fine.
> 
> uh, the mount commands (for user mounts) are currently unprivileged.

Right. I meant the mount_XXX VFS routines, which are in-kernel. I
mentioned it in a reply to another note, but just realized that one went
to tech-security. :-)

> the user can get the source for the relevant mount command, remove the
> checks/inheritance, and recompile it.
> 
> so if you're going to do this, you at the very least have to verify in
> the kernel that the user's not trying to do something bad.

Right. All these checks should be in the vfs mount ops.

> btw, in any case, it probably makes sense to have a mask of flags to
> inherit from a lower level mount, i.e. when figuring out what flags
> to use at your level, you do:
> 
> 	my_flags = my_req_flags | (lower_level_flags & inherit_mask)
> 
> e.g. you might not want to automatically inherit read-only-ness, the
> export-related flags, or other 'visible' flags.  (it's almost certain
> that you don't want to inherit the non-visible flags.)

I think you want to inherit read-only-ness as all the write commands are
going to fail. :-) The underlying fs will still enforece them. :-)

My thought was that there are a set of flags we (should) enforce for
non-root mounts. NOSUID, NOEXEC, and NODEV definitly, NOCOREDUMP maybe,
and maybe we don't want to permit NOATIME and NODEVTIME.

At least as I understand the discussion, the thought was that if _root_
say does a mount -t nullfs and the underlying fs has some of the above
restrictions present (say NOEXEC set), if root doesn't specify the same
restrictions on the nullfs, they don't get set.

> BTW:
> 
> #define MNT_VISFLAGMASK 0x2400ffff
> 
> Why doesn't that include:

No idea. :-)

> #define MNT_NODEVMTIME  0x08000000      /* Never update mod times for devs */
> 
> #define MNT_EXNORESPORT 0x08000000      /* don't enforce reserved
> ports (NFS) */
> #define MNT_EXPUBLIC    0x10000000      /* public export (WebNFS) */
> 
> and is it intended that MNT_NODEVMTIME and MNT_EXNORESPORT have the
> same value?!

Probably a bug. :-)

Take care,

Bill