mount: sanitize paths from non-root users

 $ mount /root/.ssh/../../dev/sda2
 mount: only root can mount UUID=17bc65ec-4125-4e7c-8a7d-e2795064c736 on /boot

this is too promiscuous. It seems better to ignore on command line
specified paths which are not resolve-able for non-root users.

Fixed version:

  $ mount /root/.ssh/../../dev/sda2
  mount: /root/.ssh/../../dev/sda2: Permission denied

  $ mount /dev/sda2
  mount: only root can mount UUID=17bc65ec-4125-4e7c-8a7d-e2795064c736 on /boot

Note that this bug has no relation to mount(2) permissions evaluation
in suid mode. The way how non-root user specifies paths on command
line is completely irrelevant for comparison with fstab entries.

Signed-off-by: Karel Zak <kzak@redhat.com>

diff --git a/sys-utils/mount.c b/sys-utils/mount.c
index 9b288d610b51e6c5e6c2695e2e03a10f8f5cae0d..43fcaa3277d1683d457fdf0d9c333a406b1a1478 100644 (file)
--- a/sys-utils/mount.c
+++ b/sys-utils/mount.c
@@ -40,6 +40,7 @@
 #include "exitcodes.h"
 #include "xalloc.h"
 #include "closestream.h"
+#include "canonicalize.h"
 
 #define OPTUTILS_EXIT_CODE MOUNT_EX_USAGE
 #include "optutils.h"
@@ -637,6 +638,37 @@ static struct libmnt_table *append_fstab(struct libmnt_context *cxt,
        return fstab;
 }
 
+/*
+ * Check source and target paths -- non-root user should not be able to
+ * resolve paths which are unreadable for him.
+ */
+static void sanitize_paths(struct libmnt_context *cxt)
+{
+       const char *p;
+       struct libmnt_fs *fs = mnt_context_get_fs(cxt);
+
+       if (!fs)
+               return;
+
+       p = mnt_fs_get_target(fs);
+       if (p) {
+               char *np = canonicalize_path_restricted(p);
+               if (!np)
+                       err(MOUNT_EX_USAGE, "%s", p);
+               mnt_fs_set_target(fs, np);
+               free(np);
+       }
+
+       p = mnt_fs_get_srcpath(fs);
+       if (p) {
+               char *np = canonicalize_path_restricted(p);
+               if (!np)
+                       err(MOUNT_EX_USAGE, "%s", p);
+               mnt_fs_set_source(fs, np);
+               free(np);
+       }
+}
+
 static void __attribute__((__noreturn__)) usage(FILE *out)
 {
        fputs(USAGE_HEADER, out);
@@ -998,6 +1030,9 @@ int main(int argc, char **argv)
        } else
                usage(stderr);
 
+       if (mnt_context_is_restricted(cxt))
+               sanitize_paths(cxt);
+
        if (oper) {
                /* MS_PROPAGATION operations, let's set the mount flags */
                mnt_context_set_mflags(cxt, oper);