user mounting

[Andries.Brouwer]

Many distributions are willing to let a user mount her own
floppy or CDROM or memory stick, where it is not intended
that a user can crash the system or subvert security.

However, at present an fstab line with "auto" for filesystem type,
allows the user to come with her own maliciously constructed
filesystem, and crash the system - there are many filesystem
types, and the more obscure ones among them are full of bugs.

Less obscure filesystem types still allow an easy denial of service -
for example, if the kernel does a printk() for every filesystem error,
one can keep syslog busy for hours or days, where very little else
happens.

The ext2 filesystem allows one to specify what happens upon error,
for example "panic on error". Now mounting a corrupt ext2 filesystem image
with this bit set causes the kernel to panic voluntarily.

I mentioned such things some time ago to a few people, but they
did not seem impressed.

Still, I think we should try to design a better behaviour.

Part of my proposal for a solution lives in kernel space.
Introduce a mount flag "user mounted". When it is set,
the kernel will not do a printk() for this filesystem,
and certainly will not panic.

On the user space side of things, distributions using "auto" today
might consider changing that into explicit comma-separated lists
of alternatives, so that adding new untested filesystems to the kernel
does not increase the risk of running that kernel.

Andries
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/