Re: nfs_mount in AIX

[ccaaand () ucl ac uk (Andrew Dawson)]

> I don't have access to AIX, so I can't read the vmount() docs, so this
> may be a non-issue...but unless it enforces "nosuid,nodev" for non-root
> mounts, there are much greater problems - like someone mounting a
> filesystem providing suid executables, or device special files with
> permissive mode bits.

According to the vmount() documentation in Info-Explorer here (AIX 3.2.5):

"A mount to a directory or a file can be issued if the user has both of the
 following:
 - Search permission to the directory or file to mount
 - Search and write permission to the directory or file to mount over.
 To mount a block device, remote file, or remote directory, the calling process
 must also have root user authority."

> (Note that if, as the first message implies,
> vmount() allows the mounting of a daemon on a directory, then these
> executables and/or special files do not have to actually exist
> anywhere; root access on another machine is not needed.)

I'm not sure I understand exactly what you mean by "mounting of a daemon on a
directory", but it sounds like what IBM would refer to as writing your own
"virtual file system helper". In AIX, entries for these have to be added to
/etc/vfs, which shouldn't be writeable by normal users.

Andrew.

-- 
+-----------------------------------------------------------------------------+
|     Andrew Dawson, Systems Integration Section, Operating Systems Group     |
|        Information Systems Division, University College London              |
+-----------------------------------------------------------------------------+