Re: [security] mount: Read-only bind mount silent failure then misreporting

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Nov 06, 2009 at 02:04:39PM +0000, Terry Burton wrote:
> On Fri, Nov 6, 2009 at 1:27 PM, Karel Zak <kzak@xxxxxxxxxx> wrote:
> > On Fri, Nov 06, 2009 at 12:34:45PM +0000, Terry Burton wrote:
> >> This is dangerous enough. However, it is totally insane to incorrectly
> >> update mtab to indicate that a mount is ro when it is in fact rw so
> >> that mount then reports bogus options.
> >
> >  man mount, section BUGS.
> >
> >  Maybe we can add some note about read-only bind mounts there (patches
> >  are welcomed).
> 
> Karel,
> 
> Thanks for your prompt reply.
> 
> That sounds like "cover your ass" security to me, rather than anything
> actually corrective or at least preventative. Add a note to the
> documentation would do little in the way of preventing users from
> exposure to this vulnerability. If the tool is not going to do what
> the command line arguments imply, surely it would be better to surface

 the tool does nothing, it's kernel who is interpreting mount()
 syscall and kernel does not return any error if you ask for read-only
 bind mount (see strace output).

> the defect to users at runtime rather than leave nasty surprises.
> 
> Would not any of the following be a more appropriate immediate solution:
> 
> 1. Fix mount to that it does what is necessary to ensure that the
> mount is actually ro.
> 2. Leave mount broken and add a dire runtime warning - "WARNING: New
> mount is RW and mtab is bogus"

 you have to wait for /proc/mounts update, parse the file (or ideally
 parse /proc/self/mountinfo because /proc/mount does not provide all
 necessary information...)

> 3. Leave mount broken and refuse a combination of -o ro and --bind
> arguments - "ERROR: Invalid argument for a --bind mount, -ro"

 the best solution seem to try to detect MS_BIND + MS_RDONLY and then
 try to open() read-write any file in the target directory, and update
 mtab according to the result from this test. And print any warning
 if the target directory is still read-write.

    Karel

-- 
 Karel Zak  <kzak@xxxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe util-linux-ng" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netdev]     [Ethernet Bridging]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]

  Powered by Linux