Comment # 5 on bug 1170162 from 
(In reply to Matthias Gerstner from comment #4)
> The umount has another possible attack surface. Even if the program only
> allows removable devices to be mounted ... I could insert a removable device
> with a UNIX file system on it that contains symlinks.
> 
> Then I could point the umount command to /media/$user/somemount/somelink and
> the link target would be unmounted. The problem is that the `umount` program
> is used for unmounting, which follows symlinks.
> 
> It would be better to use the `umount2` system call and pass
> "UMOUNT_NOFOLLOW"
> to avoid symlinks being followed. Another approach could be to forbid slashes
> after /media/$user/somemount and making sure that /media and /media/$user
> aren't user controlled.
> 
> Can you approach upstream with this?

I have approached upstream with these, I suspect the reason for not using the
umount2 system call is that the mount / unmount section of this helper binary
is only intended to be used as a fallback for systems with no udisks2 support
ie bsd's, I suspect the safest fix is to conditionally remove the support at
compile time when udisks is detected.

You are receiving this mail because: