Comment 3 for bug 13131

On Sun, Feb 20, 2005 at 03:59:20PM -0800, Tyler MacDonald wrote:
> Package: mount
> Version: 2.12p-2
> Severity: grave
> Justification: user security hole
>
>
> If a non-root user mounts media (in my case, a CD-ROM), and attempts
> to kill the process (in my case, a mad combination of ^C and ^\),
> the filesystem can be mounted, yet not appear in /etc/mtab.
This is the user inflicting damage on themselves, mostly.

> This means that when the user does a "df", it does not show up, and
> when they try to unmount it (unless they are root), they are denied,
> told that the filesystem is not mounted according to /etc/mtab.

> This introduces two security holes:
>
> 1) A malicious user could lock-up removable media for anybody
> else that wishes to use the system; or
This is a DOS, I guess, but doesn't compromize any data. Potentially,
this could be fixed by writing mtab before calling mount(2), though I
don't know what the implications of that are. Or mount(1) could check
something else (?) after it checks mtab.

Maybe mount needs a signal handler, which sets an "abort" flag, which
is checked after mount(2) is called, which causes unmount to be
called, instead of writing mtab? Hmm. Probably mtab should be open()
before calling mount, if that's not already the case.

> 2) A user is told that data is not available which actually
> is, which could mislead them into leaving it there for others
> to access.
Which isn't a problem, since entering the mount command makes it
accessible anyway. If the user didn't want it to be accessible, then
they shouldn't have entered the command.

> .. and, of course, in the case of cd-rom's which are usually locked
> while moutned, a user without root access or access to the person
> with root access can't get his/her CD rom back (without sticking a
> needle in the little hole, but we don't want them to do that, do
> we?)
If they want the CD back, then they have to have physical access,
which is usually considered as good as root.

Justin