Subject: Re: Mount permissions
To: Ignatios Souvatzis <is@jocelyn.rhein.de>
From: =?iso-8859-2?B?SmFyb23tciBEb2xl6GVr?= <dolecek@sky.cz>
List: tech-kern
Date: 01/27/2000 14:29:08
Ian Dall wrote:
>Ignatios Souvatzis <is@jocelyn.rhein.de> writes:
>> Julian Assange wrote:
>> > There goes /tmp.
>> Yes. Even read/write/execute access wouldn't help.
>
>But wx and not t would help.


Someone argued you cannot make dissappear a subdirectory of directory
you have write access to, but you are not owner of. That is not true -
you might as well move/rename the directory you don't want, create your
own and mount the filesystem of your choice over it.

All in all, I think that not allowing to mount filesystem to directory
one has write access doesn't improve security situation,
so we should drop the restriction[*] and allow the mount if:
1. mounter is root
2. mounter is owner of the mount point
3. mounter is not owner, but has rwx access into it and the directory is NOT
    marked as sticky (t bit) [**]

How about umapfs - isn't it possible to create e.g. root shell just by
creating your-user suid shell and mouting an umapfs which would map
your user to root ?
Are there any possible problems with other stacked filesystems ?

Jaromir

[*] one might argue that it's bogus to require to set the sticky bit
     on the public-writable directory to avoid someone mouting
     random filesystem over it. But if an admin cares about security,
     (s)he is NOT going to create public-writable directory without
    setting the sticky bit, right ? If (s)he would do so, (s)he would
    create so big security problem, that an attacker doesn't
    need to mount his/her own filesystem over the directory
    to do his/her work.
[**] we might forbid the mount if "others" have "write" access
   on the mountpoint, but I don't think this would really
   make things any better