Subject: Re: kern/7129: normal user can bypass mount 'noexec' flags
To: Bill Studenmund <wrstuden@nas.nasa.gov>
From: Chris G. Demetriou <cgd@netbsd.org>
List: tech-kern
Date: 03/11/1999 17:23:48
Bill Studenmund <wrstuden@nas.nasa.gov> writes:
> I think it would be simpler to just add the smarts into the mount
> commands. If each one along the way starts with the underlying fs's flags,
> adds ones it considers important, and only lets root delete flags, then we
> should be fine.
uh, the mount commands (for user mounts) are currently unprivileged.
the user can get the source for the relevant mount command, remove the
checks/inheritance, and recompile it.
so if you're going to do this, you at the very least have to verify in
the kernel that the user's not trying to do something bad.
btw, in any case, it probably makes sense to have a mask of flags to
inherit from a lower level mount, i.e. when figuring out what flags
to use at your level, you do:
my_flags = my_req_flags | (lower_level_flags & inherit_mask)
e.g. you might not want to automatically inherit read-only-ness, the
export-related flags, or other 'visible' flags. (it's almost certain
that you don't want to inherit the non-visible flags.)
BTW:
#define MNT_VISFLAGMASK 0x2400ffff
Why doesn't that include:
#define MNT_NODEVMTIME 0x08000000 /* Never update mod times for devs */
#define MNT_EXNORESPORT 0x08000000 /* don't enforce reserved
ports (NFS) */
#define MNT_EXPUBLIC 0x10000000 /* public export (WebNFS) */
and is it intended that MNT_NODEVMTIME and MNT_EXNORESPORT have the
same value?!
cgd
--
Chris Demetriou - cgd@netbsd.org - http://www.netbsd.org/People/Pages/cgd.html
Disclaimer: Not speaking for NetBSD, just expressing my own opinion.