Debian Patches
Status for 9mount/1.3+hg20170412-3
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| manpages.patch | no | |||||
| chown.patch | no | |||||
| security-fix-when-passing-nodev-and-nosu.patch | SECURITY FIX: When passing nodev and nosuid, set appropriate mount() options too 9mount passes flags=0 to the mount(2) syscall. For non-root users, 9mount appends the strings "nosuid" and "nodev" to the mount options string (the "data" argument to mount(2)). However, this has NO security effect whatsoever: The Linux VFS enforces nosuid/nodev restrictions exclusively through the integer "flags" parameter of mount(2) — specifically MS_NOSUID (bit 2) and MS_NODEV (bit 4). These flags control the MNT_NOSUID and MNT_NODEV bits in the kernel's struct vfsmount, which are the only mechanism the kernel checks when deciding whether to honor SUID bits on executables (mnt_may_suid() in fs/namespace.c) or allow device node access. The options string ("data" parameter) is passed verbatim to the filesystem driver for FS-specific parsing. The 9p filesystem driver (fs/9p/) does not recognize "nosuid" or "nodev" at all — it simply ignores them. These strings have zero effect on mount security. Since 9mount passes flags=0, the resulting mount has SUID and device nodes fully enabled. Any unprivileged user can mount a malicious 9P server that serves a SUID root binary, then execute it to gain root. |
Andrej Shadura <andrewsh@debian.org> | no | 2026-06-01 |
All known versions for source package '9mount'
- 1.3+hg20170412-3 (sid)
- 1.3+hg20170412-2 (forky, trixie)
- 1.3+hg20170412-1 (bookworm)