tech-security: normal user can bypass mount 'noexec' flags

Subject: normal user can bypass mount 'noexec' flags
To: None <tech-security@netbsd.org>
From: Manuel Bouyer <bouyer@antioche.lip6.fr>
List: tech-security
Date: 03/11/1999 17:12:55

Hi,
I just sent a PR about this (# 7129): by using a null mount, a regular user
can mount a directory on another, and can execute binaries in the target
directory even if the source directory is noexec. This completely defeats
the purpose of the noexec mount flag.

Fixing this requires a change to "mount by a non-root user" semantic.
I can see 2 ways of handling this:
1- user mounts are always 'noexec' (they're already 'nodev,nosuid'), possibly
   depending on the kernel security level
2- user mounts inherit the noexec flag from the target directory's partition.
   The mount has to be done on a directory owned by this user, which means
   he can write to this partition. If he can execute a file copied to this
   partition as well, they're no security compromise by allowing it to
   execute a binary on the partition he mounted (unless I missed something).

1- will work, for sure. I think 2 should work too, and it is what I will
try to implement.
Does someone see if I missed something ?

--
Manuel Bouyer, LIP6, Universite Paris VI.           Manuel.Bouyer@lip6.fr
--