On Thu, Mar 11, 1999 at 05:12:55PM +0100, Manuel Bouyer wrote:
> Hi,
> I just sent a PR about this (# 7129): by using a null mount, a regular user
> can mount a directory on another, and can execute binaries in the target
> directory even if the source directory is noexec. This completely defeats
> the purpose of the noexec mount flag.
> 
> Fixing this requires a change to "mount by a non-root user" semantic.
> I can see 2 ways of handling this:
> 1- user mounts are always 'noexec' (they're already 'nodev,nosuid'), possibly
>    depending on the kernel security level

I want that, at security level 2.  It's consistent with the other restrictions
on mount (actually, users may not be able to mount new filesystems now -- I'm
pretty sure nobody can) so if it's not that way yet at securelevel 2, please
make it so.

> 2- user mounts inherit the noexec flag from the target directory's partition.
>    The mount has to be done on a directory owned by this user, which means
>    he can write to this partition. If he can execute a file copied to this
>    partition as well, they're no security compromise by allowing it to
>    execute a binary on the partition he mounted (unless I missed something).

Imagine a machine where one wants to restrict the set of binaries a user can
run.  The users can write to their home directories, but they're noexec.  So
long as any mount done on those partitions is also noexec, I think I'm okay
with what you're proposing.

A better solution might be to do that *and* add a "nosubmount" or some such
flag, to prevent user mounts entirely.  Also, I strongly suspect you may need
to do all the same things discussed above for "nodev", and "nosuid"...

Thor