diff options
| author | Karel Zak | 2012-11-26 14:30:22 +0100 |
|---|---|---|
| committer | Karel Zak | 2012-11-26 16:24:54 +0100 |
| commit | 5ebbc3865d1e53ef42e5f121c41faab23dd59075 (patch) | |
| tree | c66387a40ab7d9e14f48ce508a11e9f6c665d8f9 /sys-utils/mount.c | |
| parent | lib/canonicalize: add canonicalize_path_restricted() to canonicalize without ... (diff) | |
| download | kernel-qcow2-util-linux-5ebbc3865d1e53ef42e5f121c41faab23dd59075.tar.gz kernel-qcow2-util-linux-5ebbc3865d1e53ef42e5f121c41faab23dd59075.tar.xz kernel-qcow2-util-linux-5ebbc3865d1e53ef42e5f121c41faab23dd59075.zip | |
mount: sanitize paths from non-root users
$ mount /root/.ssh/../../dev/sda2
mount: only root can mount UUID=17bc65ec-4125-4e7c-8a7d-e2795064c736 on /boot
this is too promiscuous. It seems better to ignore on command line
specified paths which are not resolve-able for non-root users.
Fixed version:
$ mount /root/.ssh/../../dev/sda2
mount: /root/.ssh/../../dev/sda2: Permission denied
$ mount /dev/sda2
mount: only root can mount UUID=17bc65ec-4125-4e7c-8a7d-e2795064c736 on /boot
Note that this bug has no relation to mount(2) permissions evaluation
in suid mode. The way how non-root user specifies paths on command
line is completely irrelevant for comparison with fstab entries.
Signed-off-by: Karel Zak <kzak@redhat.com>
Diffstat (limited to 'sys-utils/mount.c')
| -rw-r--r-- | sys-utils/mount.c | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/sys-utils/mount.c b/sys-utils/mount.c index ed7417788..e29e34cfd 100644 --- a/sys-utils/mount.c +++ b/sys-utils/mount.c @@ -39,6 +39,7 @@ #include "exitcodes.h" #include "xalloc.h" #include "closestream.h" +#include "canonicalize.h" #define OPTUTILS_EXIT_CODE MOUNT_EX_USAGE #include "optutils.h" @@ -603,6 +604,37 @@ static struct libmnt_table *append_fstab(struct libmnt_context *cxt, return fstab; } +/* + * Check source and target paths -- non-root user should not be able to + * resolve paths which are unreadable for him. + */ +static void sanitize_paths(struct libmnt_context *cxt) +{ + const char *p; + struct libmnt_fs *fs = mnt_context_get_fs(cxt); + + if (!fs) + return; + + p = mnt_fs_get_target(fs); + if (p) { + char *np = canonicalize_path_restricted(p); + if (!np) + err(MOUNT_EX_USAGE, "%s", p); + mnt_fs_set_target(fs, np); + free(np); + } + + p = mnt_fs_get_srcpath(fs); + if (p) { + char *np = canonicalize_path_restricted(p); + if (!np) + err(MOUNT_EX_USAGE, "%s", p); + mnt_fs_set_source(fs, np); + free(np); + } +} + static void __attribute__((__noreturn__)) usage(FILE *out) { fputs(USAGE_HEADER, out); @@ -970,6 +1002,9 @@ int main(int argc, char **argv) } else usage(stderr); + if (mnt_context_is_restricted(cxt)) + sanitize_paths(cxt); + if (oper) { /* MS_PROPAGATION operations, let's set the mount flags */ mnt_context_set_mflags(cxt, oper); |