Subject: Re: kern/7129: normal user can bypass mount 'noexec' flags
To: Bill Studenmund <>
From: Thor Lancelot Simon <>
List: tech-security
Date: 03/11/1999 18:52:49
On Thu, Mar 11, 1999 at 03:28:30PM -0800, Bill Studenmund wrote:
> On Thu, 11 Mar 1999, Bill Sommerfeld wrote:
> > Here's the interface I think makes sense for fixing this:
> > 
> >        VOP_GETMNTFLAGS(vp)
> > 
> > .. returns the ored-together mount flags of the filesystem vp and any
> > filesystems vp is stacked on..
> > 
> > implementation for "leaf" filesystems just looks in the vfs structure.
> > 
> > mount_null, etc., or's its bits together with the one of the
> > underlying vnode..
> I think it would be simpler to just add the smarts into the mount
> commands. If each one along the way starts with the underlying fs's flags,
> adds ones it considers important, and only lets root delete flags, then we
> should be fine.

Um, that's how we got *in* this mess, at least with umapfs.  If you're going
to let non-root users mount filesystems, you *can't* just "add the smarts
into the mount commands".  The user can just build a mount command that
doesn't have the "smarts" in it, and you lose.  The smarts *have* to go in
the kernel.

Thor Lancelot Simon	                            
	"And where do all these highways go, now that we are free?"