Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 26 Feb 2015 12:55:13 -0500
From: Daniel Micay <>
Subject: CVE request: Linux kernel silently ignores MS_RDONLY for bind mounts

This has been an issue in the kernel for a long time (likely since bind
mounts were introduced), and a patch does exist to fix it but it hasn't
been applied.

Here's the bug report:

Here's the latest iteration of the patch:

This is not only something that software developers will expect to work,
but AFAIK it has always been intended to work. I don't think there's any
disagreement that this is a bug. Leaving the directory tree writable
when it's supposed to be read-only without reporting an error is very

The widely used workaround (among people who realize it doesn't work) is
to remount the bind mount as read-only. That can open up a race and it
also doesn't mix well with MS_REC. The remount call will only apply the
read-only flag to the top-level mount despite MS_REC.

In systemd, there are various features suffering from security flaws due
to this kernel bug. The ReadOnlyDirectories for units only applies to
the top-level mount and systemd-nspawn's --bind-ro switch doesn't make
the submounts read-only. The flaws in systemd are documented so a CVE
assignment for those issues wouldn't make sense. I think they'd be
willing to fix these if the underlying kernel bug is dealt with.

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ