Comment 22 for bug 670622

In addition to the --no-canonicalize option, the --fake option is also required in umount, which is present in 2.18:

http://git.kernel.org/?p=utils/util-linux-ng/util-linux-ng.git;a=commitdiff;h=97a3cef4f1

Another relevant util-linux-ng commit is:

http://git.kernel.org/?p=utils/util-linux-ng/util-linux-ng.git;a=commitdiff;h=1cf4c20b19 ("spec" still canonicalized)

The above two would be required for util-linux-ng in RHEL6. All of the commits would be required for util-linux in RHEL5.

Fedora 14 has the required util-linux-ng version, but needs the fuse fixes backported. SUSE has a patch to fuse to make it use --no-canonicalize and --fake which should fix the issue:

https://bugzilla.novell.com/attachment.cgi?id=399921

Unfortunately, I've been using RHEL6 to test and with the above patches (to fuse and util-linux-ng) and the proof of concept still works. So I don't think these patches are sufficient to correct the problem, although I'm not sure what is missing.

Tom, would have a chance to look at this and see if perhaps something is missing? FWIW, I cannot reproduce this on F14. Despite there being no group-restrictions on fuse (not sure why that's the case), I get the following error:

sh Test.sh
Using target call count 8
Move triggered at count 8
fusermount: user has no write access to mountpoint /proc
fusermount: could not determine username

(although sometimes that first fusermount error shows:

fusermount: user has no write access to mountpoint /home/vdanen/tmp/CVE-2010-3879/tmp/proc

which is the user-mounted directory).

By contrast, fuse-2.8.5-2.fc13 and util-linux-ng-2.17.2-8.fc13 allow me to reproduce this on F13. The same fuse version is on both, but F14 has (a newer) util-linux-ng-2.18-4.5.fc14.