On 2009-11-18 16:09:18 +0000, Terry Burton wrote: > On Wed, Nov 18, 2009 at 2:01 PM, Karel Zak <kzak@xxxxxxxxxx> wrote: > > On Fri, Nov 06, 2009 at 03:46:20PM +0100, Karel Zak wrote: > >> On Fri, Nov 06, 2009 at 02:04:39PM +0000, Terry Burton wrote: > >> > 3. Leave mount broken and refuse a combination of -o ro and --bind > >> > arguments - "ERROR: Invalid argument for a --bind mount, -ro" > >> > >> ?the best solution seem to try to detect MS_BIND + MS_RDONLY and then > >> ?try to open() read-write any file in the target directory, and update > >> ?mtab according to the result from this test. And print any warning > >> ?if the target directory is still read-write. > > > > I forgot note that > > > > ? # mount --bind /foo /bar > > ? # mount -o remount,ro /bar > > > > works as expected (/foo is rw and /bar is ro). > > Karel, > > cc: Kusanagi Kouichi > > Thanks for the advice. This is precisely the approach I have been > using since read-only bind mounts first became available. > > My reason for raising this issue at this time is that I was asked to > investigate an instance where a knowledgeable sysadmin's security > assumptions were entirely invalided because of the silent failure then > misreporting of the command sequence mount --bind -o ro ...; mount ... > which (along with other omissions) ultimately led to their web content > being defaced. > > I might agree that it seems wrong for the kernel to silently disregard > the MS_RDONLY option, but nevertheless somebody ought to own this > issue and work to close or highlight this security flaw and when this > issue has been > > I've not yet had the chance to give any attention to solving the issue > in the way that you suggest, however I imagine that there may be > complications for filesystems that have naming restrictions? > > Having said that, it does appear as though this issue may have just > gained some traction in the kernel [1]. > > Kusanagi: Was there any further offlist reception for your recent > patch? It seems very sensible and would ultimately resolve the issue > discussed here [2]. > I didn't receive any further messages. Filesystem developers don't seem to think this is a bug. > > [1] http://patchwork.kernel.org/patch/56569/ > [2] http://thread.gmane.org/gmane.linux.utilities.util-linux-ng/2771 > > > All the best, > > Terry -- To unsubscribe from this list: send the line "unsubscribe util-linux-ng" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
