Re: [RFC][PATCH 00/20] Mount writer count and read-only bindmounts (v2)

From: Dave Hansen
Date: Fri Jun 16 2006 - 19:42:22 EST


On Sat, 2006-06-17 at 01:29 +0200, Grzegorz Kulewski wrote:
> Isn't this some kind of security risk (at least in my planned use)? I mean
> - for a small fraction of second somebody seeing /dest can write
> /source... No?

I assume you're talking about this kind of situation:

mount --bind /local/writable/dir /chroot/untrusted/area/
mount --o remount,ro /chroot/untrusted/area/

Where there is a window where someone in the chroot can write into the
local directory. Yes. There would be a race there.

However, you can also do the following, which will have no window. It
has a few more steps, but it is a much simpler thing to deal with in the
kernel. Believe me, it starts to get ugly when you try to handle
permission and flag changes at mount time. Keeping --bind'ing as *just*
a simple "copy the source mount" operation makes the implementation very
much simpler.

This has no r/w window in the chroot area:

mount --bind /local/writable/dir /tmp/area/
mount --o remount,ro /tmp/area/
mount --bind /tmp/area/ /chroot/untrusted/area/
umount /tmp/area/

-- Dave

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/