diff options
author | Karel Zak | 2009-01-16 12:21:15 +0100 |
---|---|---|
committer | Karel Zak | 2009-02-04 12:50:14 +0100 |
commit | 0959f8063bf9b4d576822fe742a2bc9f5d1d1dbc (patch) | |
tree | 23e2bb1b3d58f1613dba0bd77d1cfe8324ed8585 /mount | |
parent | fdisk: add 0xaf HFS / HFS partition type (diff) | |
download | kernel-qcow2-util-linux-0959f8063bf9b4d576822fe742a2bc9f5d1d1dbc.tar.gz kernel-qcow2-util-linux-0959f8063bf9b4d576822fe742a2bc9f5d1d1dbc.tar.xz kernel-qcow2-util-linux-0959f8063bf9b4d576822fe742a2bc9f5d1d1dbc.zip |
mount: non-setuid (POSIX file capabilities) support
The mount command does not work properly if you replace suid with
POSIX file capabilities. We still need to check for non-root mounts and
the command has to work in very restricted mode for non-root users.
This patch allows you to remove suid bit from mount and umount. Note
that you need a system with filesystem capability support, e.g.
Fedora 10).
# ls -l /bin/mount
-rwxr-xr-x 1 root root 65192 2008-11-09 22:59 /bin/mount
# getcap /bin/mount
/bin/mount = cap_dac_override,cap_sys_admin+ep
[kzak@redhat.com: all the above comments]
Don't bypass security checks when [u]mount uses POSIX file capabilities
rather than setuid root to permit non-root mounts.
Signed-off-by: Geoff Johnstone <geoff.johnstone@googlemail.com>
Diffstat (limited to 'mount')
-rw-r--r-- | mount/mount.c | 33 | ||||
-rw-r--r-- | mount/umount.c | 22 |
2 files changed, 36 insertions, 19 deletions
diff --git a/mount/mount.c b/mount/mount.c index f92b23cba..23f27d676 100644 --- a/mount/mount.c +++ b/mount/mount.c @@ -80,8 +80,8 @@ static int list_with_volumelabel = 0; */ static int mounttype = 0; -/* True if ruid != euid. */ -static int suid = 0; +/* True if (ruid != euid) or (0 != ruid), i.e. only "user" mounts permitted. */ +static int restricted = 1; /* Contains the fd to read the passphrase from, if any. */ static int pfd = -1; @@ -774,12 +774,12 @@ guess_fstype_and_mount(const char *spec, const char *node, const char **types, } /* - * suid_check() + * restricted_check() * Die if the user is not allowed to do this. */ static void -suid_check(const char *spec, const char *node, int *flags, char **user) { - if (suid) { +restricted_check(const char *spec, const char *node, int *flags, char **user) { + if (restricted) { /* * MS_OWNER: Allow owners to mount when fstab contains * the owner option. Note that this should never be used @@ -1109,7 +1109,7 @@ try_mount_one (const char *spec0, const char *node0, const char *types0, if (mount_all && (flags & MS_NOAUTO)) goto out; - suid_check(spec, node, &flags, &user); + restricted_check(spec, node, &flags, &user); /* The "mount -f" checks for for existing record in /etc/mtab (with * regular non-fake mount this is usually done by kernel) @@ -1190,7 +1190,7 @@ mount_retry: /* Mount failed, complain, but don't die. */ if (types == 0) { - if (suid) + if (restricted) error (_("mount: I could not determine the filesystem type, " "and none was specified")); else @@ -2027,11 +2027,20 @@ main(int argc, char *argv[]) { return print_all (types); } - if (getuid () != geteuid ()) { - suid = 1; - if (types || options || readwrite || nomtab || mount_all || - fake || mounttype || (argc + specseen) != 1) - die (EX_USAGE, _("mount: only root can do that")); + { + const uid_t ruid = getuid(); + const uid_t euid = geteuid(); + + /* if we're really root and aren't running setuid */ + if (((uid_t)0 == ruid) && (ruid == euid)) { + restricted = 0; + } + } + + if (restricted && + (types || options || readwrite || nomtab || mount_all || + fake || mounttype || (argc + specseen) != 1)) { + die (EX_USAGE, _("mount: only root can do that")); } atexit(unlock_mtab); diff --git a/mount/umount.c b/mount/umount.c index 00745aed9..738d05c31 100644 --- a/mount/umount.c +++ b/mount/umount.c @@ -74,8 +74,8 @@ int nomtab = 0; /* Call losetup -d for each unmounted loop device. */ int delloop = 0; -/* True if ruid != euid. */ -int suid = 0; +/* True if (ruid != euid) or (0 != ruid), i.e. only "user" umounts permitted. */ +int restricted = 1; /* Last error message */ int complained_err = 0; @@ -477,7 +477,7 @@ umount_file (char *arg) { if (!mc && verbose) printf(_("Could not find %s in mtab\n"), file); - if (suid) { + if (restricted) { char *mtab_user = NULL; if (!mc) @@ -640,10 +640,18 @@ main (int argc, char *argv[]) { usage (stderr, 1); } - if (getuid () != geteuid ()) { - suid = 1; - if (all || types || nomtab || force || remount) - die (2, _("umount: only root can do that")); + { + const uid_t ruid = getuid(); + const uid_t euid = geteuid(); + + /* if we're really root and aren't running setuid */ + if (((uid_t)0 == ruid) && (ruid == euid)) { + restricted = 0; + } + } + + if (restricted && (all || types || nomtab || force || remount)) { + die (2, _("umount: only root can do that")); } argc -= optind; |