Andy Lutomirski <luto@xxxxxxxxxxxxxx> writes:
> On Wed, Oct 9, 2013 at 12:12 PM, Eric W. Biederman
> <ebiederm@xxxxxxxxxxxx> wrote:
>> ebiederm@xxxxxxxxxxxx (Eric W. Biederman) writes:
>>
>>> But I will go through and read the old fusermount code before I get too
>>> much farther just so I understand what I am potentially breaking.
>>
>> Grr.
>>
>> So I have just read the fusermount umount code and the hack that it uses
>> before there was UMOUNT_NOFOLLOW support in the vm.
>>
>> If I walk this path of lazy unmounts and detaching directories, anyone
>> with a new kernel and an old copy of fusermount and a nfs mounted home
>> directory will be able to exploit the fusermount umount symlink race.
>>
>> Unless we can declare that old fusermount binaries are buggy beyond
>> supporting this patchset as it exists is dead.
>
> What's the hack that it does?
The problem is that "umount -l /some/user/supplied/path" can unmount
anything.
Even after checking mtab etc there are races, and replacing "path" with
a symlink will still allow you to unmount anything.
So when not usering UMOUNT_NOFOLLOW fusermount will do:
cd "/some/user/supplied/"
clone(CLONE_NEWNS)
mount --make-rprivate /
COUNT=$(cat /proc/mounts | wc -l)
mount --rbind . /
Look at new /proc/mounts entries past $COUNT and see if there is an
entry for "path"
if $found
exit 0
else
exit 1
wait
if ($? == 0) umount -l "path"
As everything happens in the directory just below the mount point
we are only concerned about things that happen in that directory.
This does mean there is a window between checking that path is
a valid fuse mount point and when that mountpoint is unmounted.
So if someone can unlink/rename the mount point and replace it
with a symlink during that small window it is possible to unmount
anything.
Today the d_mountpoint tests and the requirement distributed filesystems
(aka nfs) lie to the vfs prevent those issues.
The UMOUNT_NOFOLLOW code which appears in fuse 2.9.0 is new enough that
distro's like CentOS6 don't ship it yet.
Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
