Subject: Re: kern/7129: normal user can bypass mount 'noexec' flags
To: Chris G. Demetriou <email@example.com>
From: Bill Studenmund <firstname.lastname@example.org>
Date: 03/11/1999 17:40:46
On 11 Mar 1999, Chris G. Demetriou wrote:
> Bill Studenmund <email@example.com> writes:
> > I think it would be simpler to just add the smarts into the mount
> > commands. If each one along the way starts with the underlying fs's flags,
> > adds ones it considers important, and only lets root delete flags, then we
> > should be fine.
> uh, the mount commands (for user mounts) are currently unprivileged.
Right. I meant the mount_XXX VFS routines, which are in-kernel. I
mentioned it in a reply to another note, but just realized that one went
to tech-security. :-)
> the user can get the source for the relevant mount command, remove the
> checks/inheritance, and recompile it.
> so if you're going to do this, you at the very least have to verify in
> the kernel that the user's not trying to do something bad.
Right. All these checks should be in the vfs mount ops.
> btw, in any case, it probably makes sense to have a mask of flags to
> inherit from a lower level mount, i.e. when figuring out what flags
> to use at your level, you do:
> my_flags = my_req_flags | (lower_level_flags & inherit_mask)
> e.g. you might not want to automatically inherit read-only-ness, the
> export-related flags, or other 'visible' flags. (it's almost certain
> that you don't want to inherit the non-visible flags.)
I think you want to inherit read-only-ness as all the write commands are
going to fail. :-) The underlying fs will still enforece them. :-)
My thought was that there are a set of flags we (should) enforce for
non-root mounts. NOSUID, NOEXEC, and NODEV definitly, NOCOREDUMP maybe,
and maybe we don't want to permit NOATIME and NODEVTIME.
At least as I understand the discussion, the thought was that if _root_
say does a mount -t nullfs and the underlying fs has some of the above
restrictions present (say NOEXEC set), if root doesn't specify the same
restrictions on the nullfs, they don't get set.
> #define MNT_VISFLAGMASK 0x2400ffff
> Why doesn't that include:
No idea. :-)
> #define MNT_NODEVMTIME 0x08000000 /* Never update mod times for devs */
> #define MNT_EXNORESPORT 0x08000000 /* don't enforce reserved
> ports (NFS) */
> #define MNT_EXPUBLIC 0x10000000 /* public export (WebNFS) */
> and is it intended that MNT_NODEVMTIME and MNT_EXNORESPORT have the
> same value?!
Probably a bug. :-)