The do_change_type routine has a missing check for capable(CAP_SYS_ADMIN). Even
though the mount command restricts the changing of mountpoint type to only root
users, it is possible for local unprivileged users to bypass and abuse this.
Created attachment 311232 [details]
Upstream patch for this issue
Proposed upstream patch:
It is possible for a normal user to mark a mount unbindable which cannot be
rebounded, and deny the administrator from bind mounting it to somewhere else.
It is also possible for a normal user to mark a private mount shared silently,
such that if the administrator decides to bind mount it, it will become a
sharable mount, even though the administrator may not intend it to be sharable.
Created attachment 311453 [details]
Proposed backported patch for RHEL-5.3
This was addressed via:
Red Hat Enterprise Linux version 5 (RHSA-2008:0885)