Re: more "mount" grist
der Mouse (mouse@Collatz.McRCIM.McGill.EDU)
Wed, 3 May 1995 09:36:41 -0400
>> ultrix 4.x also allows nonroot users to mount NFS filesystems, if I
>> remember right. Shiver...
> Yep. However, it isn't as bad as you might think, as Ultrix forces
> all non-root mounts to be nosuid,nodev, which makes 'em mostly
> harmless (if someone knows otherwise, I'd like to hear about it).
First thing that comes to mind is to ensure that it does correct checks
for the mounted-over directory. Preferably, the user doing the mount
must own it; it seems reasonable at first glance to merely require the
user to be able to write it, but this lets anyone mount over /tmp (and
possibly /var/spool/mail, depending on how Ultrix has that set up).
Given the number of programs we've seen which have races with respect
to opening files in /tmp, having /tmp utterly under the control of an
arbitrary user seems pretty dangerous to me.
Even with nosuid,nodev, though, there may still be dangers, since
arbitrary ownership and mode bits may be presented, and thus other
programs may be fooled into thinking something has been approved by
(say) root when it actually hasn't. I have no specific examples in
mind, but it would not surprise me a bit if some programs relaxed
certain checks when some config file is owned by root, on the theory
that if root did it, there's no point in checking further. (Of course,
this would really be a bug in the program, not in Ultrix mount....)
I think I would prefer something like what I've seen somewhere else,
with cd-roms I think: simply make _everything_ on the mounted
filesystem come out owned by the user who did the mount. Then you can
ignore the setuid-bit issue entirely (though you still need nodev, of
course). I'm not sure what I'd do about creates by other users; of
course, with cd-roms this isn't an issue, but with NFS it is....
der Mouse
mouse@collatz.mcrcim.mcgill.edu