Subject: Re: normal user can bypass mount 'noexec' flags
To: Manuel Bouyer <firstname.lastname@example.org>
From: Thor Lancelot Simon <email@example.com>
Date: 03/11/1999 11:45:05
On Thu, Mar 11, 1999 at 05:12:55PM +0100, Manuel Bouyer wrote:
> I just sent a PR about this (# 7129): by using a null mount, a regular user
> can mount a directory on another, and can execute binaries in the target
> directory even if the source directory is noexec. This completely defeats
> the purpose of the noexec mount flag.
> Fixing this requires a change to "mount by a non-root user" semantic.
> I can see 2 ways of handling this:
> 1- user mounts are always 'noexec' (they're already 'nodev,nosuid'), possibly
> depending on the kernel security level
I want that, at security level 2. It's consistent with the other restrictions
on mount (actually, users may not be able to mount new filesystems now -- I'm
pretty sure nobody can) so if it's not that way yet at securelevel 2, please
make it so.
> 2- user mounts inherit the noexec flag from the target directory's partition.
> The mount has to be done on a directory owned by this user, which means
> he can write to this partition. If he can execute a file copied to this
> partition as well, they're no security compromise by allowing it to
> execute a binary on the partition he mounted (unless I missed something).
Imagine a machine where one wants to restrict the set of binaries a user can
run. The users can write to their home directories, but they're noexec. So
long as any mount done on those partitions is also noexec, I think I'm okay
with what you're proposing.
A better solution might be to do that *and* add a "nosubmount" or some such
flag, to prevent user mounts entirely. Also, I strongly suspect you may need
to do all the same things discussed above for "nodev", and "nosuid"...