http://bugzilla.suse.com/show_bug.cgi?id=1170162 http://bugzilla.suse.com/show_bug.cgi?id=1170162#c5 --- Comment #5 from Simon Lees <simonf.lees@suse.com> --- (In reply to Matthias Gerstner from comment #4)
The umount has another possible attack surface. Even if the program only allows removable devices to be mounted ... I could insert a removable device with a UNIX file system on it that contains symlinks.
Then I could point the umount command to /media/$user/somemount/somelink and the link target would be unmounted. The problem is that the `umount` program is used for unmounting, which follows symlinks.
It would be better to use the `umount2` system call and pass "UMOUNT_NOFOLLOW" to avoid symlinks being followed. Another approach could be to forbid slashes after /media/$user/somemount and making sure that /media and /media/$user aren't user controlled.
Can you approach upstream with this?
I have approached upstream with these, I suspect the reason for not using the umount2 system call is that the mount / unmount section of this helper binary is only intended to be used as a fallback for systems with no udisks2 support ie bsd's, I suspect the safest fix is to conditionally remove the support at compile time when udisks is detected. -- You are receiving this mail because: You are on the CC list for the bug.