Bypass Secure Mount Points on Linux

To mount or not to mount… it’s really not a question. You want your data? Mount your drives. But how do you do it securely? Can we limit the chance of privilege escalation through restrictive mounts?

Let’s look at some of the common mounting options within Linux; by default filesystems are mounted with the following options set: rw, suid, dev, exec, auto, nouser, and async.

rw – Makes the drive read & and writable.
suid – Allows for the SUID or GUID bits to be active.
dev – Interprets character or block special devices.
exec – Permits the execution of binary files.
auto – Allows the mounting of the filesystem with the ‘mount -a’ command.
nouser – Forbids a non-root user from mounting the filesystem.
async – All input and output on the filesystem should be done asynchronously.

For security we have these few basic mount options: (I’ll cover encryption later on down the line)

ro – Mounts the filesystem as read only.
nodev – Denies the interpret of block special devices on the filesystem.
noexec – Denies binary file execution.
nosuid – Denies the use of SUID and GUID bits on files.

Application: mount -o nodev,noexec,nosuid /dev/{deviceID} /tmp
–This mounts the filesystem specified with to /tmp and doesn’t allow for suid or guid bits, execution of binaries, and does not interpret characters or block special devices.
–Things shouldn’t be allowed to execute from this directory. It allows for the writing of files such as logs and parsed data, but an attacker cannot execute malicious binary files from this location.

Be careful and put some deep thought into mount options filesystems. These options can prevent security incidents from becoming more dangerous. I use the word “prevents” because these options can be bypassed by using /lib/ to execute binaries residing on filesystems.

Syntax for bypassing restrictive mounts on older kernels:
$ /lib/ ~/id
uid=1001(edd) gid=1001(edd) groups=1001(edd),1002(wheel)

Syntax for bypassing restrictive mounts on newer kernels:
Execute fixelf.c to bypass.
{REF for fixelf.c}