Bug#1027833: user-mode-linux: hostfs directory traversal
* Ritesh Raj Sarraf , 2023-01-20 16:59: The current upstream documentation does warn about the functionality, and does not advertise anything about confining the namespace. Er, but it does talk about confinement: Hostfs without any parameters to the UML Image will allow the image to mount any part of the host filesystem and write to it. Always confine hostfs to a specific "harmless" directory (for example ``/var/tmp``) if running UML. This is especially important if UML is being run as root. -- Jakub Wilk
Bug#1027833: user-mode-linux: hostfs directory traversal
Hello Jakub, On Wed, 2023-01-11 at 18:39 +0100, Jakub Wilk wrote: > * Ritesh Raj Sarraf , 2023-01-10 18:43: > > > The man page says that hostfs kernel param is "used to confine > > > all > > > hostfs mounts to within the specified directory tree on the > > > host". But > > > it's trivial to escape this confinements with ../ sequences: > > > > > > # mount none -t hostfs -o > > > ../../../../../../../../home/bob/secrets /mnt > > > > Could you please share the kernel command line option passed to the > > running uml instance ? > > I used with something like this: > > $ linux hostfs=/srv/chroots/unstable-i386/ rootfstype=hostfs > init=/bin/sh quiet > I think the manpage is misleading. Note that the manpage was especially prepared for Debian and was last touched many years ago. I only looked for its correctness now, now that you reported of it. The current upstream documentation does warn about the functionality, and does not advertise anything about confining the namespace. I will try to fix it in time for Bookworm. Otherwise patches welcome. The latest up-to-date documentation is available in the kernel sources at: Documentation/virt/uml/user_mode_linux_howto_v2.rst To quote from the documentation: Host file access == If you want to access files on the host machine from inside UML, you can treat it as a separate machine and either nfs mount directories from the host or copy files into the virtual machine with scp. However, since UML is running on the host, it can access those files just like any other process and make them available inside the virtual machine without the need to use the network. This is possible with the hostfs virtual filesystem. With it, you can mount a host directory into the UML filesystem and access the files contained in it just as you would on the host. *SECURITY WARNING* Hostfs without any parameters to the UML Image will allow the image to mount any part of the host filesystem and write to it. Always confine hostfs to a specific "harmless" directory (for example ``/var/tmp``) if running UML. This is especially important if UML is being run as root. -- Ritesh Raj Sarraf | http://people.debian.org/~rrs Debian - The Universal Operating System signature.asc Description: This is a digitally signed message part
Bug#1027833: user-mode-linux: hostfs directory traversal
* Ritesh Raj Sarraf , 2023-01-10 18:43: The man page says that hostfs kernel param is "used to confine all hostfs mounts to within the specified directory tree on the host". But it's trivial to escape this confinements with ../ sequences: # mount none -t hostfs -o ../../../../../../../../home/bob/secrets /mnt Could you please share the kernel command line option passed to the running uml instance ? I used with something like this: $ linux hostfs=/srv/chroots/unstable-i386/ rootfstype=hostfs init=/bin/sh quiet -- Jakub Wilk
Bug#1027833: user-mode-linux: hostfs directory traversal
Hello Jakub, On Tue, 2023-01-03 at 22:28 +0100, Jakub Wilk wrote: > The man page says that hostfs kernel param is "used to confine all > hostfs mounts to within the specified directory tree on the host". > But > it's trivial to escape this confinements with ../ sequences: > > # mount none -t hostfs -o ../../../../../../../../home/bob/secrets > /mnt > Could you please share the kernel command line option passed to the running uml instance ? -- Ritesh Raj Sarraf | http://people.debian.org/~rrs Debian - The Universal Operating System signature.asc Description: This is a digitally signed message part
Bug#1027833: user-mode-linux: hostfs directory traversal
Package: user-mode-linux Version: 6.0um1+b1 Tags: security The man page says that hostfs kernel param is "used to confine all hostfs mounts to within the specified directory tree on the host". But it's trivial to escape this confinements with ../ sequences: # mount none -t hostfs -o ../../../../../../../../home/bob/secrets /mnt -- System Information: Architecture: i386 -- Jakub Wilk