The do_change_type routine has a missing check for capable(CAP_SYS_ADMIN). Even though the mount command restricts the changing of mountpoint type to only root users, it is possible for local unprivileged users to bypass and abuse this.
Created attachment 311232 [details] Upstream patch for this issue
Proposed upstream patch: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ee6f958291e2a768fd727e7a67badfff0b67711a
It is possible for a normal user to mark a mount unbindable which cannot be rebounded, and deny the administrator from bind mounting it to somewhere else. It is also possible for a normal user to mark a private mount shared silently, such that if the administrator decides to bind mount it, it will become a sharable mount, even though the administrator may not intend it to be sharable.
Created attachment 311453 [details] Proposed backported patch for RHEL-5.3
This was addressed via: Red Hat Enterprise Linux version 5 (RHSA-2008:0885)