Quoting Miklos Szeredi (miklos@xxxxxxxxxx): > On Thu, 4 Sep 2008, Serge E. Hallyn wrote: > > We still have the original problem. > > > > When root does > > > > mount -bind /mnt /mnt > > mount --make-rshared /mnt > > mount --bind -o user=hallyn /mnt /home/hallyn/mnt > > > > and hallyn does > > > > mount --bind /usr /home/hallyn/mnt/usr > > > > then the kernel happily propagates the mount to /mnt/usr. > > Obviously, and that's exactly what root _instructed_ in the last step. > If it's a security problem, root shouldn't do that. > > Your original bug report correctly pointed out the real security > problem: > > | as root: > | mmount --bind -o user=500 /home/hallyn/etc/ /home/hallyn/etc/ > | mount --bind /mnt /mnt > | mount --make-rshared /mnt > | mount --bind /dev /mnt/dev > | > | as hallyn: > | mmount --bind /mnt /home/hallyn/etc/mnt > | /usr/src/mmount-0.3/mmount --bind mnt/dev mnt/src > > Here root does nothing "unsafe", yet the user can get propagation back > into /mnt, due to the fact that a bind mount makes the new mount part > of the old peer group. This is the security hole that is fixed, and > AFAICS the only security hole related to propagation vs. user mounts. > > (I'm going to be offline tomorrow and the weekend, but will hopefully > have email access next week). > > Thanks, > Miklos (&(*$&%, you're right, of course. Ok, will play with it a bit more, but I think it'd be *great* to see this show up in -mm again. -serge -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
