Subject: Re: Mount permissions
To: Ignatios Souvatzis <email@example.com>
From: =?iso-8859-2?B?SmFyb23tciBEb2xl6GVr?= <firstname.lastname@example.org>
Date: 01/27/2000 14:29:08
Ian Dall wrote:
>Ignatios Souvatzis <email@example.com> writes:
>> Julian Assange wrote:
>> > There goes /tmp.
>> Yes. Even read/write/execute access wouldn't help.
>But wx and not t would help.
Someone argued you cannot make dissappear a subdirectory of directory
you have write access to, but you are not owner of. That is not true -
you might as well move/rename the directory you don't want, create your
own and mount the filesystem of your choice over it.
All in all, I think that not allowing to mount filesystem to directory
one has write access doesn't improve security situation,
so we should drop the restriction[*] and allow the mount if:
1. mounter is root
2. mounter is owner of the mount point
3. mounter is not owner, but has rwx access into it and the directory is NOT
marked as sticky (t bit) [**]
How about umapfs - isn't it possible to create e.g. root shell just by
creating your-user suid shell and mouting an umapfs which would map
your user to root ?
Are there any possible problems with other stacked filesystems ?
[*] one might argue that it's bogus to require to set the sticky bit
on the public-writable directory to avoid someone mouting
random filesystem over it. But if an admin cares about security,
(s)he is NOT going to create public-writable directory without
setting the sticky bit, right ? If (s)he would do so, (s)he would
create so big security problem, that an attacker doesn't
need to mount his/her own filesystem over the directory
to do his/her work.
[**] we might forbid the mount if "others" have "write" access
on the mountpoint, but I don't think this would really
make things any better