From nobody Sun Jan  5 12:47:51 2025
X-Original-To: freebsd-fs@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YQxtN0l35z5j8LY
	for <freebsd-fs@mlmmj.nyi.freebsd.org>; Sun, 05 Jan 2025 12:47:56 +0000 (UTC)
	(envelope-from freebsd@omnilan.de)
Received: from mx0.gentlemail.de (mx0.gentlemail.de [IPv6:2001:41d0:700:4a43:a25:de0:0:13])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4YQxtM1BMJz4hxL;
	Sun,  5 Jan 2025 12:47:54 +0000 (UTC)
	(envelope-from freebsd@omnilan.de)
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	spf=pass (mx1.freebsd.org: domain of freebsd@omnilan.de designates 2001:41d0:700:4a43:a25:de0:0:13 as permitted sender) smtp.mailfrom=freebsd@omnilan.de;
	dmarc=none
Received: from mh0.gentlemail.de (mh0.gentlemail.de [135.125.173.218])
	by mx0.gentlemail.de (8.18.1/8.18.1) with ESMTP id 505ClqBJ050500;
	Sun, 5 Jan 2025 12:47:53 GMT
	(envelope-from freebsd@omnilan.de)
Received: from [172.21.3.1] (s1.omnilan.de [217.91.127.234])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by mh0.gentlemail.de (Postfix) with ESMTPSA id 90A8211F72;
	Sun, 05 Jan 2025 12:47:52 +0000 (UTC)
Message-ID: <9c5b2002-99e7-4ae4-8a70-7f2a5b0a68e4@omnilan.de>
Date: Sun, 5 Jan 2025 13:47:51 +0100
List-Id: Filesystems <freebsd-fs.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-fs
List-Help: <mailto:freebsd-fs+help@freebsd.org>
List-Post: <mailto:freebsd-fs@freebsd.org>
List-Subscribe: <mailto:freebsd-fs+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-fs+unsubscribe@freebsd.org>
Sender: owner-freebsd-fs@FreeBSD.org
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: jails and fusefs - D16371 question regarding unprivileged user
To: Alan Somers <asomers@freebsd.org>, freebsd-fs@freebsd.org
References: <908d635a-ab6f-42cf-89ac-f805d2048c4d@omnilan.de>
 <CAOtMX2iNrvwp8S1_e+ZvttKG5Y_F-ja=n30k4BK1VzWkS7Dkig@mail.gmail.com>
 <91fbc680-5496-48da-9d1d-4b2c806cf82f@omnilan.de>
 <CAOtMX2j0VaojtrF_t26aCA=RgwYOQovcaByMwmEW2aFvkrAPkA@mail.gmail.com>
 <41d077bb-dd57-492c-92cd-fadee8e680cc@omnilan.de>
 <CAOtMX2jraMCtZEJxM9XkWuU9Ay66g72Wdtw7idH7hbVzTkrg5A@mail.gmail.com>
Content-Language: en-US, de-DE
From: Harry Schmalzbauer <freebsd@omnilan.de>
Organization: OmniLAN
In-Reply-To: <CAOtMX2jraMCtZEJxM9XkWuU9Ay66g72Wdtw7idH7hbVzTkrg5A@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Rspamd-Queue-Id: 4YQxtM1BMJz4hxL
X-Spamd-Bar: ---
X-Spamd-Result: default: False [-3.29 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-0.998];
	R_SPF_ALLOW(-0.20)[+mx];
	MIME_GOOD(-0.10)[text/plain];
	XM_UA_NO_VERSION(0.01)[];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	ARC_NA(0.00)[];
	HAS_ORG_HEADER(0.00)[];
	ASN(0.00)[asn:16276, ipnet:2001:41d0::/32, country:FR];
	TO_DN_SOME(0.00)[];
	MID_RHS_MATCH_FROM(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-fs@freebsd.org];
	MIME_TRACE(0.00)[0:+];
	RCVD_COUNT_TWO(0.00)[2];
	FROM_EQ_ENVFROM(0.00)[];
	R_DKIM_NA(0.00)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	DMARC_NA(0.00)[omnilan.de];
	RCVD_TLS_LAST(0.00)[];
	RCPT_COUNT_TWO(0.00)[2];
	FROM_HAS_DN(0.00)[]

On 2025-01-04 22:53, Alan Somers wrote:
> On Sat, Jan 4, 2025 at 2:39 PM Harry Schmalzbauer <freebsd@omnilan.de> wrote:
....
>> For now I set the setuid bit to JAILROOT/bin/mount_fusefs.
>>
>> **This works fine** (signing in via RDP as unprivileged user (with
>> freerdp/remmina) allows me to access my shared remote-client directory
>> in the jailed XFCE4 session).
...
> 
> What is the value of enforce_statfs in your jail?  It must be < 2 for
> mounting within the jail to work.

Thanks for your help.  The jail config is fine (enforce_statfs is set to 
1 in that case), like mentioned utilizing mount_fusefs(8) is working as 
expected in my jail as long as the process invoking it is privileged.

My issue is that vfs.usermount doesn't affect how mount requests from 
jails are handled.
Even if setting vfs.usermount to 1 on my host would enable unprivileged 
users in my jail to mount_fusefs(8), this setting has unwanted side 
effects - I don't want users to mount anything on the host.

*I don't know if it is intentional* that vfs.usermount is ignored for 
jailed processes.
What we really would need is a jail-only setting allowing user mounts.
Global for all jails might be sufficient, since you have to selectively 
allow.mount each fs-type separately.
Per jail would be the best implementation.

Maybe I oversee any other security impact of allowing unprivileged 
processes to mount from/inside jails!?!

For my current use case, I could tolerate vfs.usermount affecting the 
host security because no users other than the su(1)-permitted admin can 
sign in.
But I'm not sure I can cope with the security implication having the 
/sbin/mount_fusefs SUID permission bit set, which is my current solution 
(which makes user-mounting RDPDR fusefs working!).

Thanks,
-harry