Bug#838958: linux: mount(2) _silently_ ignores other mountflags when MS_BIND is set
Source: linux
Severity: important
Tags: upstream
>From the mount(2) man page:
MS_BIND (Linux 2.4 onward)
Perform a bind mount, making a file or a directory subtree visible at
another point within a filesystem. Bind mounts may cross filesystem
boundaries and span chroot(2) jails. The filesystemtype and data
arguments are ignored. Up until Linux 2.6.26, mountflags was also
ignored (the bind mount has the same mount options as the underlying
mount point).
Apparently, this applies to recent kernels too (at least 3.16).
Silently ignoring user-specified flags can open security holes, e.g. when
a sysadm bind-mounts a filesystem for use by a containter, thinking the mount
will be read-only:
# mount -o bind,ro /usr /containers/X/usr
Despite mount returning successfully, container X has /usr mounted
read/write, and root inside the container can easily corrupt/subvert
the host system.
Please keep in mind that recent versions of mount(1) work around the bug, by
calling mount() twice (once with the "bind" flag, then with the other flags),
but other applications calling mount() directly are usually affected.
Best regards,
giuseppe
-- System Information:
Debian Release: 8.6
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 3.16.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Reply to: