Imagine situation where a security problem is found in setuid binary.

User upgrades his system to fix the problem, but if he has any ZFS snapshots for the file system which contains problematic binary, any user can mount the snapshot and execute vulnerable binary. Prevent this from happening by always mounting snapshots with setuid turned off. MFC after: 2 weeks
svn path=/head/; revision=222518
2011-05-31 07:02:49 +00:00 · 2011-05-31 07:02:49 +00:00 · 12b9f8e47d · 2020-12-20 02:59:44 +00:00
commit 12b9f8e47d
parent 7c017a713e
1 changed files with 5 additions and 0 deletions
--- a/sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c
+++ b/sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c
@ -171,6 +171,11 @@ mount_snapshot(kthread_t *td, vnode_t **vpp, const char *fstype, char *fspath,
 	 * Snapshots are always read-only.
 	 */
 	mp->mnt_flag |= MNT_RDONLY;
+	/*
+	 * We don't want snapshots to allow access to vulnerable setuid
+	 * programs, so we turn off setuid when mounting snapshots.
+	 */
+	mp->mnt_flag |= MNT_NOSUID;
 	/*
 	 * We don't want snapshots to be visible in regular
 	 * mount(8) and df(1) output.