ecryptfs team mailing list archive
-
ecryptfs team
-
Mailing list archive
-
Message #01822
[Bug 732628] Re: TOCTOU in mount.ecryptfs_private
I'm not the expert on this topic, but for mount, you should be able to:
1- chdir into the mountpoint
2- perform your sanity checks using "."
3- mount using "."
That way, even if the attacker changes symlinks on the path, you should
still be in the original directory he specified. If memory serves,
that's what mount.cifs now does, so you might want to take a look at
it's source.
For umount, newer kernels since 2.6.34 have a UMOUNT_NOFOLLOW flag, or
you can use /bin/umount with --no-canonicalize.
Hope this helps.
--
You received this bug notification because you are a member of eCryptfs,
which is a direct subscriber.
https://bugs.launchpad.net/bugs/732628
Title:
TOCTOU in mount.ecryptfs_private
Status in eCryptfs - Enterprise Cryptographic Filesystem:
Triaged
Status in “ecryptfs-utils” package in Ubuntu:
Triaged
Status in “ecryptfs-utils” package in Debian:
New
Status in “ecryptfs-utils” package in Fedora:
New
Bug description:
check_ownerships() function doesn't work as it should because of a
race condition. Arguments of both mount() and umount() calls can be
changed between the check and the usage. This may lead to arbitrary
mount point umounting or probably to gaining ability to try
passphrases of otherpeople's ecryptfs storages.
lock_counter() is also racy. It (1) tries to check existance and
ownership of the file before open(), (2) neither use stat() instead of
lstat() nor O_NOFOLLOW, (3) is not protected against deletion of the
lock file by the owner. The lock file should be probably created in
root only writable directory before dropping EUID.
Follow ups
References