Bind mounting a directory to itself

Discussion in 'all things UNIX' started by Gullible Jones, Nov 29, 2012.

Thread Status:
Not open for further replies.
  1. Gullible Jones

    Gullible Jones Guest

    It turns out you can bind mount a directory to itself. So you can do stuff like this:

    Code:
    # mount --bind /tmp /tmp
# mount -o remount,nodev,nosuid,noexec /tmp
    and have /tmp, /var/tmp, etc. mounted with more secure options, even if they're not on separate partitions.

    This seems kind of nifty, but please don't assume it's problem free; there might be some really nasty caveats for all I know. I'm interested in what the local Linux buffs have to say about this...
     
    Gullible Jones, Nov 29, 2012
    #1
  2. BrandiCandi

    BrandiCandi Guest

    Have you been running this for a while? What is your experience with it? Does it break stuff?
     
    BrandiCandi, Dec 2, 2012
    #2
  3. Gullible Jones

    Gullible Jones Guest

    With bind mounting? No, because I generally use fancy partition layouts. The bind mount thing is just in case that's not practical (e.g. on tiny hard drives).

    If you mean the nodev,nosuid,noexec mount flags... noexec will break dpkg if you put it on /var or /tmp under Debian (or Ubuntu), and may also make your login script not work if applied to /home. Furthermore its coverage is incomplete, since you can still do 'perl nastyscript.pl' or whatever.

    nodev and nosuid are safe in my experience though, provided you don't put them on /dev or anywhere with suid binaries respectively. This stuff probably doesn't offer all that much security, though; and naught against exploits that run as your user (unless you mount all user-writeable areas as noexec as well, which is often not possible and sometimes inconvenient).
     
    Gullible Jones, Dec 2, 2012
    #3
  4. Gullible Jones

    Gullible Jones Guest

    An addendum: most distros mount /dev/shm with full dev,suid permissions. So if you want to make all world-writable areas nodev,nosuid you have to remount /dev/shm too:

    mount -o remount,nodev,nosuid /dev/shm

    Edit: note that nodev is probably not necessary, since there are already limitations in place to keep limited users from creating arbitrary device nodes; OTOH it can't hurt, either. However, there is IMO no excuse whatsoever for not using the nosuid mount option, because tar -p preserves the setuid bit even when run as limited user!

    Edit 2: scratch that, GNU tar preserves setuid but never creates setuid root files when run as limited user. So in theory these measures should not really be necessary... I think.
     
    Last edited by a moderator: Jan 12, 2013
    Gullible Jones, Jan 12, 2013
    #4
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...