tech-security: Re: normal user can bypass mount 'noexec' flags

Subject: Re: normal user can bypass mount 'noexec' flags
To: Manuel Bouyer <bouyer@antioche.lip6.fr>
From: Manuel Bouyer <bouyer@antioche.lip6.fr>
List: tech-security
Date: 03/11/1999 18:55:22
--lL+5n6rz5pIUxbDc
Content-Type: text/plain; charset=us-ascii

On Mar 11, Manuel Bouyer wrote
> 1- user mounts are always 'noexec' (they're already 'nodev,nosuid'), possibly
>    depending on the kernel security level

Well, at securelevel 1 this is too restrictive, and at securelevel 2 mounts
are not allowed. This is not an option.

> 2- user mounts inherit the noexec flag from the target directory's partition.
>    The mount has to be done on a directory owned by this user, which means
>    he can write to this partition. If he can execute a file copied to this
>    partition as well, they're no security compromise by allowing it to
>    execute a binary on the partition he mounted (unless I missed something).
> 

In fact this is really easy to implement in the mount system call.
Diffs appened below. Does someone see a problem with these changes ?
They seem to work ok for me.

--
Manuel Bouyer, LIP6, Universite Paris VI.           Manuel.Bouyer@lip6.fr
--



--lL+5n6rz5pIUxbDc
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=diff

Index: vfs_syscalls.c
===================================================================
RCS file: /cvsroot/src/sys/kern/vfs_syscalls.c,v
retrieving revision 1.129
diff -u -r1.129 vfs_syscalls.c
--- vfs_syscalls.c	1999/03/02 07:47:49	1.129
+++ vfs_syscalls.c	1999/03/11 17:21:12
@@ -193,8 +193,9 @@
 			return (error);
 		}
 		/*
-		 * Do not allow NFS export by non-root users. Silently
-		 * enforce MNT_NOSUID and MNT_NODEV for non-root users.
+		 * Do not allow NFS export by non-root users. For non-root
+		 * users, silently enforce MNT_NOSUID and MNT_NODEV, and
+		 * MNT_NOEXEC if mount is already MNT_NOEXEC.
 		 */
 		if (p->p_ucred->cr_uid != 0) {
 			if (SCARG(uap, flags) & MNT_EXPORTED) {
@@ -202,6 +203,8 @@
 				return (EPERM);
 			}
 			SCARG(uap, flags) |= MNT_NOSUID | MNT_NODEV;
+			if (flag & MNT_NOEXEC)
+				SCARG(uap, flags) |= MNT_NOEXEC;
 		}
 		if (vfs_busy(mp, LK_NOWAIT, 0)) {
 			vput(vp);
@@ -224,8 +227,9 @@
 		return (error);
 	}
 	/*
-	 * Do not allow NFS export by non-root users. Silently
-	 * enforce MNT_NOSUID and MNT_NODEV for non-root users.
+	 * Do not allow NFS export by non-root users. For non-root users,
+	 * silently enforce MNT_NOSUID and MNT_NODEV, and MNT_NOEXEC if the
+	 * mount point is already MNT_NOEXEC.
 	 */
 	if (p->p_ucred->cr_uid != 0) {
 		if (SCARG(uap, flags) & MNT_EXPORTED) {
@@ -233,6 +237,8 @@
 			return (EPERM);
 		}
 		SCARG(uap, flags) |= MNT_NOSUID | MNT_NODEV;
+		if (vp->v_mount->mnt_flag & MNT_NOEXEC)
+			SCARG(uap, flags) |= MNT_NOEXEC;
 	}
 	if ((error = vinvalbuf(vp, V_SAVE, p->p_ucred, p, 0, 0)) != 0)
 		return (error);

--lL+5n6rz5pIUxbDc--