From fd31a7c0ba7f1282d2d81193d4d100fdc926b99b Mon Sep 17 00:00:00 2001 From: Jeff Layton Date: Mon, 2 Apr 2012 15:28:56 -0400 Subject: mount.cifs: don't allow unprivileged users to mount onto dirs to which they can't chdir If mount.cifs is installed as a setuid root program, then a user can use it to gather information about files and directories to which he does not have access. One of the first things that mount.cifs does is to chdir() into the mountpoint and then proceeds to perform the mount onto ".". A malicious user could exploit this fact to determine information about directories to which he does not have access. Specifically, whether the dentry in question is a file or directory and whether it exists at all. This patch fixes this by making the program switch the fsuid to the real uid for unprivileged users when mounting. Note that this is a behavior change. mount.cifs has in the past allowed users to mount onto any directory as long as it's listed in /etc/fstab as a user mount. With this change, the user must also be able to chdir into the mountpoint without needing special privileges. Hopefully not many people have such a pathological configuration. This patch should fix CVE-2012-1586. Reported-by: Jesus Olmos Signed-off-by: Jeff Layton --- mount.cifs.8 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'mount.cifs.8') diff --git a/mount.cifs.8 b/mount.cifs.8 index 1f07d2c..cbf2e76 100644 --- a/mount.cifs.8 +++ b/mount.cifs.8 @@ -659,7 +659,8 @@ The variable may contain the pathname of a file to read the password from\&. A single line of input is read and used as the password\&. .SH "NOTES" .PP -This command may be used only by root, unless installed setuid, in which case the noeexec and nosuid mount flags are enabled\&. When installed as a setuid program, the program follows the conventions set forth by the mount program for user mounts\&. +This command may be used only by root, unless installed setuid, in which case the noeexec and nosuid mount flags are enabled\&. When installed as a setuid program, the program follows the conventions set forth by the mount program for user mounts, with the added restriction that users must be able to chdir() into the +mountpoint prior to the mount in order to be able to mount onto it. .PP Some samba client tools like smbclient(8) honour client\-side configuration parameters present in smb\&.conf\&. Unlike those client tools, \fImount\&.cifs\fR -- cgit v1.2.3