pam_setquota: skip mountpoints equal to the user's $HOME

Matthias Gerstner found the following issue:

<quote>
So this pam_setquota module iterates over all mounted file systems using
`setmntent()` and `getmntent()`.  It tries to find the longest match of
a file system mounted on /home/$USER or above (except when the
fs=/some/path parameter is passed to the pam module).

The thing is that /home/$USER is owned by the unprivileged user.  And
there exist tools like fusermount from libfuse which is by default
installed setuid-root for everybody.  fusermount allows to mount a FUSE
file system using an arbitrary "source device name" as the unprivileged
user.

Thus considering the following use case:

1) there is only the root file system (/) or a file system is mounted on
   /home, but not on /home/$USER.
2) the attacker mounts a fake FUSE file system over its own home directory:

  ```
  user $ export _FUSE_COMMFD=0
  user $ fusermount $HOME -ononempty,fsname=/dev/sda1
  ```

  This will result in a mount entry in /proc/mounts looking like this:

  ```
  /dev/sda1 on /home/$USER type fuse (rw,nosuid,nodev,relatime,user_id=1000,group_id=100)
  ```
3) when the attacker now logs in with pam_setquota configured then
   pam_setquota will identify /dev/sda1 and the file system where
   to apply the user's quota on.

As a result an unprivileged user has full control over onto which block
device the quota is applied.
</quote>

If the user's $HOME is on a separate partition, setting a quota on the
user's $HOME does not really make sense, so this patch skips mountpoints
equal to the user's $HOME, preventing the above mentioned bug as
a side-effect (or vice-versa).

Reported-by: Matthias Gerstner <mgerstner@suse.de>
Co-authored-by: Tomáš Mráz <tmraz@redhat.com>
Co-authored-by: Dmitry V. Levin <ldv@altlinux.org>
Resolves: https://github.com/linux-pam/linux-pam/pull/230

0 files changed, 0 insertions, 0 deletions