Comment # 4 on bug 1170162 from 
The umount has another possible attack surface. Even if the program only
allows removable devices to be mounted ... I could insert a removable device
with a UNIX file system on it that contains symlinks.

Then I could point the umount command to /media/$user/somemount/somelink and
the link target would be unmounted. The problem is that the `umount` program
is used for unmounting, which follows symlinks.

It would be better to use the `umount2` system call and pass "UMOUNT_NOFOLLOW"
to avoid symlinks being followed. Another approach could be to forbid slashes
after /media/$user/somemount and making sure that /media and /media/$user
aren't user controlled.

Can you approach upstream with this?

You are receiving this mail because: