Re: klik, loop mounts, and insecurity [was: statement from one of the klik project members]
On Fri, Jan 20, 2006 at 03:59:23PM +0000, Kurt Pfeifle wrote:
> Wouter Verhelst wrote on debian-devel@lists.debian.org:
> > [Re-adding Cc to Kurt, as he's mentioned he isn't subscribed]
> >
> > On Fri, Jan 20, 2006 at 01:20:26PM +0800, Cameron Patrick wrote:
> > > Kurt Pfeifle wrote:
> > > > The klik client installation needs root privileges once, to add 7 lines
> > > > like this one to /etc/fstab:
> > > >
> > > > /tmp/app/1/image /tmp/app/1 cramfs,iso9660 user,noauto,ro,loop,exec 0
> > > > 0
> > >
> > > Doesn't this introduce a local root exploit? A user can easily write
> > > their own /tmp/app/1/image file which contains, say, a setuid root bash
> > > executable.
> >
> > Yes, that's exactly what I was afraid of, myself.
>
> Please try "man mount". If your manpage is similar to mine, it will
> contain something like:
>
> ---------------------------- snip ----------------------------------
> OPTIONS
> user Allow an ordinary user to mount the file system. The name
> of the mounting user is written to mtab so that he can un-
> mount the file system again. This option implies the op-
> tions noexec, nosuid, and nodev (unless overridden by sub-
> sequent options, as in the option line user,exec,dev,suid).
> ---------------------------- snap ----------------------------------
>
> Note the part mentioning "nosuid" - and compare it to the fstab line
> used by klik. :-)
You might want to read your manpage a bit more:
nosuid Do not allow set-user-identifier or set-group-identifier
bits to take effect. (This seems safe, but is in fact
rather unsafe if you have suidperl(1) installed.)
Particularly note the parenthetical sentence.
On another point, I believe you said earlier that the admin is required to
add 7 of those lines to fstab before klik could be used. Does that mean
that no more than 7 applications can be installed, or that no more than 7
users can use klik on the one machine? Either way, it seems quite
artificially limiting. If I have an 8th user who wants to use klik, what do
I do?
- Matt
Reply to: