Subject: Re: normal user can bypass mount 'noexec' flags
To: None <firstname.lastname@example.org>
From: Manuel Bouyer <email@example.com>
Date: 03/11/1999 18:51:14
On Mar 11, Thor Lancelot Simon wrote
> I want that, at security level 2. It's consistent with the other restrictions
> on mount (actually, users may not be able to mount new filesystems now -- I'm
> pretty sure nobody can) so if it's not that way yet at securelevel 2, please
> make it so.
Yes, no new mounts are allowed at all at securelevel 2. So this is not an
issue. I missed this.
> > 2- user mounts inherit the noexec flag from the target directory's partition.
> > The mount has to be done on a directory owned by this user, which means
> > he can write to this partition. If he can execute a file copied to this
> > partition as well, they're no security compromise by allowing it to
> > execute a binary on the partition he mounted (unless I missed something).
> Imagine a machine where one wants to restrict the set of binaries a user can
> run. The users can write to their home directories, but they're noexec. So
> long as any mount done on those partitions is also noexec, I think I'm okay
> with what you're proposing.
> A better solution might be to do that *and* add a "nosubmount" or some such
> flag, to prevent user mounts entirely. Also, I strongly suspect you may need
> to do all the same things discussed above for "nodev", and "nosuid"...
User mounts are already nodev,nosuid. It's enforced in the system call.
Manuel Bouyer, LIP6, Universite Paris VI. Manuel.Bouyer@lip6.fr