On Thu, 4 Sep 2008, Serge E. Hallyn wrote: > We still have the original problem. > > When root does > > mount -bind /mnt /mnt > mount --make-rshared /mnt > mount --bind -o user=hallyn /mnt /home/hallyn/mnt > > and hallyn does > > mount --bind /usr /home/hallyn/mnt/usr > > then the kernel happily propagates the mount to /mnt/usr. Obviously, and that's exactly what root _instructed_ in the last step. If it's a security problem, root shouldn't do that. Your original bug report correctly pointed out the real security problem: | as root: | mmount --bind -o user=500 /home/hallyn/etc/ /home/hallyn/etc/ | mount --bind /mnt /mnt | mount --make-rshared /mnt | mount --bind /dev /mnt/dev | | as hallyn: | mmount --bind /mnt /home/hallyn/etc/mnt | /usr/src/mmount-0.3/mmount --bind mnt/dev mnt/src Here root does nothing "unsafe", yet the user can get propagation back into /mnt, due to the fact that a bind mount makes the new mount part of the old peer group. This is the security hole that is fixed, and AFAICS the only security hole related to propagation vs. user mounts. (I'm going to be offline tomorrow and the weekend, but will hopefully have email access next week). Thanks, Miklos -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
