From owner-freebsd-fs@FreeBSD.ORG Mon Jan 26 14:59:44 2004 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3E2CD16A576; Mon, 26 Jan 2004 14:59:44 -0800 (PST) Received: from milla.ask33.net (milla.ask33.net [217.197.166.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7D53A43D2D; Mon, 26 Jan 2004 14:59:42 -0800 (PST) (envelope-from nick@milla.ask33.net) Received: by milla.ask33.net (Postfix, from userid 1001) id 98DAD3ABB53; Tue, 27 Jan 2004 00:00:34 +0100 (CET) Date: Tue, 27 Jan 2004 00:00:34 +0100 From: Pawel Jakub Dawidek To: freebsd-fs@freebsd.org Message-ID: <20040126230034.GK565@garage.freebsd.pl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="EVh9lyqKgK19OcEf" Content-Disposition: inline X-PGP-Key-URL: http://garage.freebsd.pl/jules.asc X-OS: FreeBSD 4.8-RELEASE-p13 i386 X-URL: http://garage.freebsd.pl User-Agent: Mutt/1.5.1i cc: rwatson@freebsd.org Subject: Analysis of mounts/unmounts issues. X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Jan 2004 22:59:44 -0000 --EVh9lyqKgK19OcEf Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello. This is a short analysis of mount(2)/unmount(2) problems related to usermounts, unprivileged root and jails. I've found many issues related to this topic, here is a list of those issue= s: 1. Root from inside of jail is able to unmount _any_ file system (except /) from even outside of jail. 2. Even if security.bsd.suser is set to 0, root is able to unmount file systems mounted by provileged root (except /). 3. If usermount is set to 1, user from inside of jail is able to mount file system (if support for required file system is compiled in kernel of loaded as a kld module), but with MNT_NOSUID and MNT_NODEV flags set. Insufficient check is in two place: for normal mounts and for mounts with MNT_UPDATE flag set. 4. Let's assume that usermount is set to 1 and user mounts file system, now we're setting usermount to 0 and user is still able to unmount file system mounted by him previously. My fix deny any mounts/unmounts inside of jail and deny mounts/unmounts for unprivileged root, because there is no chance to check if security.bsd.suser was 0 or 1 while file system was mounted. Patch is here: http://garage.freebsd.pl/patches/vfs_mount.c.2.patch Things to discuss. Should we permit mounts/unmounts inside of jail if usermount is set to 1? Maybe there should be 'jailmount' variable to control this? Should we store in mount structure value of security.bsd.suser while file system is mounted to permit unmount and mount with MNT_UPDATE flag set operations for unprivileged root? This will give as a complete solution. --=20 Pawel Jakub Dawidek pawel@dawidek.net UNIX Systems Programmer/Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am! http://cerber.sourceforge.net --EVh9lyqKgK19OcEf Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBQBWcEj/PhmMH/Mf1AQHjqgQAhyJiHNtFizojKP5ucQd77bWyxnFCZFdx Q/zZHB2ePtlzMvK05rV0AlArC1TlcOAEBAF+hRN3wMuFV9G10QjO4ujPY8PiwjwN pbhZRmRAiqpPPGU4D6dc0CdWkd7QTmAt4CRQnj3DHPjwEGYopNMx1nxY4J4gxHtz E7WZeQe1Fzc= =JXpI -----END PGP SIGNATURE----- --EVh9lyqKgK19OcEf--