On Thu, 1 Jun 2000, Pavel Machek wrote:
> > mount -t bind old new
> Ugh. And it works on normal user in 2.4.0!
> There *have* to be some security implications of this.
I believe the basic security implication of this feature (esp. in the
hands of mere mortals) is the ability to create "directory hardlinks".
In the past, it was not possible to jump from one part of the tree to
another unless you traversed a symlink, therefore programs like /tmp
cleaners (that need to make sure not to leave a specific subtree) checked
for symlinks. I have not analyzed any real code so far but I am afraid
there is at least one widely used program whose sanity checks would be
fooled by this "loopback mounting". You can call that program sloppy
but it had behaved correctly until one of the crucial premises about fs
structure was changed.
Conclusion: I do not think it is responsible to introduce such a hazardous
feature without giving the rest of the world a reasonable amount of time
(Added cc to security-audit.)
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to firstname.lastname@example.org
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Wed Jun 07 2000 - 21:00:14 EST