Re: [RFC][PATCH 00/20] Mount writer count and read-only bindmounts (v2)

[Dave Hansen]

On Sat, 2006-06-17 at 01:29 +0200, Grzegorz Kulewski wrote:
> Isn't this some kind of security risk (at least in my planned use)? I mean 
> - for a small fraction of second somebody seeing /dest can write 
> /source... No? 

I assume you're talking about this kind of situation:

mount --bind /local/writable/dir /chroot/untrusted/area/
mount --o remount,ro /chroot/untrusted/area/

Where there is a window where someone in the chroot can write into the
local directory.  Yes.  There would be a race there.

However, you can also do the following, which will have no window.  It
has a few more steps, but it is a much simpler thing to deal with in the
kernel.  Believe me, it starts to get ugly when you try to handle
permission and flag changes at mount time.  Keeping --bind'ing as *just*
a simple "copy the source mount" operation makes the implementation very
much simpler.

This has no r/w window in the chroot area:

mount --bind /local/writable/dir /tmp/area/
mount --o remount,ro /tmp/area/
mount --bind /tmp/area/ /chroot/untrusted/area/
umount /tmp/area/

-- Dave

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/