From 5ebbc3865d1e53ef42e5f121c41faab23dd59075 Mon Sep 17 00:00:00 2001 From: Karel Zak Date: Mon, 26 Nov 2012 14:30:22 +0100 Subject: [PATCH] mount: sanitize paths from non-root users $ mount /root/.ssh/../../dev/sda2 mount: only root can mount UUID=17bc65ec-4125-4e7c-8a7d-e2795064c736 on /boot this is too promiscuous. It seems better to ignore on command line specified paths which are not resolve-able for non-root users. Fixed version: $ mount /root/.ssh/../../dev/sda2 mount: /root/.ssh/../../dev/sda2: Permission denied $ mount /dev/sda2 mount: only root can mount UUID=17bc65ec-4125-4e7c-8a7d-e2795064c736 on /boot Note that this bug has no relation to mount(2) permissions evaluation in suid mode. The way how non-root user specifies paths on command line is completely irrelevant for comparison with fstab entries. Signed-off-by: Karel Zak Signed-off-by: Petr Uzel --- sys-utils/Makefile.am | 1 + sys-utils/mount.c | 35 +++++++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+) Index: util-linux-2.21.2/sys-utils/Makefile.am =================================================================== --- util-linux-2.21.2.orig/sys-utils/Makefile.am +++ util-linux-2.21.2/sys-utils/Makefile.am @@ -64,6 +64,7 @@ dist_man_MANS += mount.8 ../mount/fstab. mount_SOURCES = mount.c \ $(top_srcdir)/lib/env.c \ $(top_srcdir)/lib/xgetpass.c \ + $(top_srcdir)/lib/canonicalize.c \ $(top_srcdir)/lib/strutils.c mount_LDADD = $(ul_libmount_la) $(SELINUX_LIBS) Index: util-linux-2.21.2/sys-utils/mount.c =================================================================== --- util-linux-2.21.2.orig/sys-utils/mount.c +++ util-linux-2.21.2/sys-utils/mount.c @@ -38,6 +38,7 @@ #include "strutils.h" #include "exitcodes.h" #include "xalloc.h" +#include "canonicalize.h" /*** TODO: DOCS: * @@ -572,6 +573,37 @@ static struct libmnt_table *append_fstab return fstab; } +/* + * Check source and target paths -- non-root user should not be able to + * resolve paths which are unreadable for him. + */ +static void sanitize_paths(struct libmnt_context *cxt) +{ + const char *p; + struct libmnt_fs *fs = mnt_context_get_fs(cxt); + + if (!fs) + return; + + p = mnt_fs_get_target(fs); + if (p) { + char *np = canonicalize_path_restricted(p); + if (!np) + err(MOUNT_EX_USAGE, "%s", p); + mnt_fs_set_target(fs, np); + free(np); + } + + p = mnt_fs_get_srcpath(fs); + if (p) { + char *np = canonicalize_path_restricted(p); + if (!np) + err(MOUNT_EX_USAGE, "%s", p); + mnt_fs_set_source(fs, np); + free(np); + } +} + static void __attribute__((__noreturn__)) usage(FILE *out) { fputs(USAGE_HEADER, out); @@ -880,6 +912,9 @@ int main(int argc, char **argv) } else usage(stderr); + if (mnt_context_is_restricted(cxt)) + sanitize_paths(cxt); + if (oper) { /* MS_PROPAGATION operations, let's set the mount flags */ mnt_context_set_mflags(cxt, oper);