Bug 4784 - umount.cifs allows all users to unmount shares
Summary: umount.cifs allows all users to unmount shares
Status: RESOLVED FIXED
Alias: None
Product: CifsVFS
Classification: Unclassified
Component: user space tools (show other bugs)
Version: 2.6
Hardware: All Linux
: P3 major
Target Milestone: ---
Assignee: Steve French
QA Contact:
URL:
Keywords:
Depends on:
Blocks: 5159
  Show dependency treegraph
 
Reported: 2007-07-12 18:38 UTC by Steve Langasek
Modified: 2007-12-22 11:43 UTC (History)
3 users (show)

See Also:


Attachments
patch to correctly check the return value of ioctl() (870 bytes, patch)
2007-07-12 18:42 UTC, Steve Langasek
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Steve Langasek 2007-07-12 18:38:14 UTC
umount.cifs in 3.0.25b is assuming wrong semantics for the CIFS_IOC_CHECKUMOUNT ioctl: the return value of ioctl() is checked for a value > 0, when the standard error return from ioctl (and the error return in this case) is -1 with errno set to a more descriptive value.

As a result of misinterpreting the return value, umount.cifs is allowing all users to unmount shares mounted by any other user.  In specialized circumstances, this could become a security hole if a user believes their mount point is safe and the share is unmounted to expose malicious directory contents below.

Patch to follow.
Comment 1 Steve Langasek 2007-07-12 18:42:53 UTC
Created attachment 2815 [details]
patch to correctly check the return value of ioctl()

This patch fixes umount.cifs to correctly treat all non-zero return values from ioctl() as errors, instead of just positive return values.

There is probably a second bug here, in that ENOTTY is being compared against the return value instead of against errno; I'm not absolutely certain that this is a bug, though, and I don't have any machines with older cifs support around that I could check it against, so I haven't included this change in my patch.
Comment 2 Jeremy Allison 2007-12-12 20:46:18 UTC
Applied for 3.0.28a. Thanks !
Jeremy.