Re: [security] mount: Read-only bind mount silent failure then misreporting

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Nov 6, 2009 at 1:27 PM, Karel Zak <kzak@xxxxxxxxxx> wrote:
> On Fri, Nov 06, 2009 at 12:34:45PM +0000, Terry Burton wrote:
>> This is dangerous enough. However, it is totally insane to incorrectly
>> update mtab to indicate that a mount is ro when it is in fact rw so
>> that mount then reports bogus options.
>
>  man mount, section BUGS.
>
>  Maybe we can add some note about read-only bind mounts there (patches
>  are welcomed).

Karel,

Thanks for your prompt reply.

That sounds like "cover your ass" security to me, rather than anything
actually corrective or at least preventative. Add a note to the
documentation would do little in the way of preventing users from
exposure to this vulnerability. If the tool is not going to do what
the command line arguments imply, surely it would be better to surface
the defect to users at runtime rather than leave nasty surprises.

Would not any of the following be a more appropriate immediate solution:

1. Fix mount to that it does what is necessary to ensure that the
mount is actually ro.
2. Leave mount broken and add a dire runtime warning - "WARNING: New
mount is RW and mtab is bogus"
3. Leave mount broken and refuse a combination of -o ro and --bind
arguments - "ERROR: Invalid argument for a --bind mount, -ro"

What are your thoughts regarding these actions?

If you concur with my reasoning then I will look to provide the most
appropriate patch. (I guess that option 1 is non-trivial, otherwise it
would have been fixed?)

>> This situation has now persisted for more than 18 months and is
>> undoubtedly resulting in security issues for some users.
>>
>> Is a fix planned?
>
>  plan is to remove /etc/mtab from Linux and use /proc/self/mountinfo
>
>  The current mtab based solution is broken by design.

That would certainly be solid progress but I guess this is a little way off?


Many thanks,

Terry
--
To unsubscribe from this list: send the line "unsubscribe util-linux-ng" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netdev]     [Ethernet Bridging]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]

  Powered by Linux