On Mar 11, Thor Lancelot Simon wrote
> I want that, at security level 2.  It's consistent with the other restrictions
> on mount (actually, users may not be able to mount new filesystems now -- I'm
> pretty sure nobody can) so if it's not that way yet at securelevel 2, please
> make it so.

Yes, no new mounts are allowed at all at securelevel 2. So this is not an
issue. I missed this.

> 
> > 2- user mounts inherit the noexec flag from the target directory's partition.
> >    The mount has to be done on a directory owned by this user, which means
> >    he can write to this partition. If he can execute a file copied to this
> >    partition as well, they're no security compromise by allowing it to
> >    execute a binary on the partition he mounted (unless I missed something).
> 
> Imagine a machine where one wants to restrict the set of binaries a user can
> run.  The users can write to their home directories, but they're noexec.  So
> long as any mount done on those partitions is also noexec, I think I'm okay
> with what you're proposing.
> 
> A better solution might be to do that *and* add a "nosubmount" or some such
> flag, to prevent user mounts entirely.  Also, I strongly suspect you may need
> to do all the same things discussed above for "nodev", and "nosuid"...

User mounts are already nodev,nosuid. It's enforced in the system call.

--
Manuel Bouyer, LIP6, Universite Paris VI.           Manuel.Bouyer@lip6.fr
--