From: Matt Zagrabelny <mzagrabe@d.umn.edu>
To: Andrei Borzenkov <arvidjaar@gmail.com>
Cc: Btrfs BTRFS <linux-btrfs@vger.kernel.org>
Subject: Re: subvolumes as partitions and mount options
Date: Mon, 27 Mar 2023 14:50:59 -0500 [thread overview]
Message-ID: <CAOLfK3UZDNO_jSOOHtnA+-Hh-V6_cjsL36iZU0a+V=k80KDenQ@mail.gmail.com> (raw)
In-Reply-To: <ffca26e0-88e8-1dc7-ce67-6235a94159e1@gmail.com>
On Mon, Mar 27, 2023 at 2:25 PM Andrei Borzenkov <arvidjaar@gmail.com> wrote:
>
> On 27.03.2023 21:48, Matt Zagrabelny wrote:
> > Greetings,
> >
> > I have a root partition btrfs file system.
> >
> > I need to have /tmp, /var, /var/tmp, /var/log, and other directories
> > under separate partitions so that certain mount options can be set for
> > those partitions/directories.
> >
> > I'm testing out a subvolume mount with the subvolume /subv_content
> > mounted at /subv_mnt.
> >
> > For instance, the noexec mount option can be circumvented:
>
> "exec/noexec" option applies to mount instance, it is not persistent
> property of underlying filesystem. It is not specific to btrfs at all.
Agreed. My email was more about subvolumes and the mount point has the
"noexec", but the actual subvolume doesn't - so there exists a path on
disk where folks can exec the same file by circumventing the mount
option by directly invoking the full path under the subvolume.
>
> bor@bor-Latitude-E5450:/tmp/tst$ ./bin/foo.sh
> Hello, world!
> bor@bor-Latitude-E5450:/tmp/tst$ mkdir exec noexec
> bor@bor-Latitude-E5450:/tmp/tst$ sudo mount -o bind,exec bin exec
> bor@bor-Latitude-E5450:/tmp/tst$ sudo mount -o bind,noexec bin noexec
> bor@bor-Latitude-E5450:/tmp/tst$ ./exec/foo.sh
> Hello, world!
> bash: ./noexec/foo.sh: Permission denied
> bor@bor-Latitude-E5450:/tmp/tst$
Agreed completely.
If an attacker can gain access to a system, I'd like /tmp to be
mounted "noexec".
The attacker can execute the foo.sh via /tmp/tst/bin/foo.sh even
though the bind mount (/tmp/tst/noexec) restricts the executing of
programs.
That seems to be the position I am in right now with subvolumes as
opposed to an actual partition.
If I create a separate partition for /tmp and mount it noexec, there
is no backdoor bind mount where the attacker can execute programs
from.
It seems mounting subvolumes works similarly to bind mounts - is there
a way to mimic /tmp being on a separate partition and mounted with
noexec using subvolumes?
Thanks for the help!
-m
next prev parent reply other threads:[~2023-03-27 19:51 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-27 18:48 subvolumes as partitions and mount options Matt Zagrabelny
2023-03-27 19:25 ` Andrei Borzenkov
2023-03-27 19:50 ` Matt Zagrabelny [this message]
2023-03-27 20:24 ` Graham Cobb
2023-03-27 20:31 ` Matthew Warren
2023-03-27 21:06 ` Matt Zagrabelny
2023-03-28 1:42 ` Matthew Warren
2023-03-28 19:45 ` Matt Zagrabelny
2023-03-29 4:04 ` Andrei Borzenkov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAOLfK3UZDNO_jSOOHtnA+-Hh-V6_cjsL36iZU0a+V=k80KDenQ@mail.gmail.com' \
--to=mzagrabe@d.umn.edu \
--cc=arvidjaar@gmail.com \
--cc=linux-btrfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.