Subject: Re: normal user can bypass mount 'noexec' flags
To: Manuel Bouyer <bouyer@antioche.eu.org>
From: Bill Studenmund <wrstuden@nas.nasa.gov>
List: tech-security
Date: 03/12/1999 10:00:36
On Fri, 12 Mar 1999, Manuel Bouyer wrote:
> On Thu, Mar 11, 1999 at 05:12:36PM -0500, John Kohl wrote:
> > Well, you probably want to (in the case of nullfs) consider the flags
> > both on the mounted-from directory and mounted-on-top-of directory, I
> > think... if I could copy a binary to a directory, but couldn't execute
> > it from there, why should mounting atop it give me execute rights?
> > Perhaps by doing this I can launch a trojan attack somehow...
How? If you're root outside a chroot-ed environment, the reason you can
get execute rights is that you're root. In that environment, I don't see
why root wouldn't be able to copy a file somewhere else and just execute
it there. Or just remove the noexec flag.
> Yes, this is true. The fix I'll propose will do this.
Jason and I talked about one. Basically we add a new vfsop call which
tells a mount to update its flags. When a mount -u comes along and updates
a mount's flags, the mount call then walks the mount point list down from
the mount (i.e. over all mounts added after this one, the only mounts
which could possibly be mounted over this fs) and tells them to refresh
their mount flags.
leaf fs's (ffs, lfs, mfs, ext2fs, etc) would just ignore this op. Overlay
fs's would remember what flags they added, look at what they're on, and
or them together.
Take care,
Bill