Date: Sun, 5 Jan 2025 09:19:26 -0700 From: Alan Somers <asomers@freebsd.org> To: Harry Schmalzbauer <freebsd@omnilan.de> Cc: freebsd-fs@freebsd.org Subject: Re: jails and fusefs - D16371 question regarding unprivileged user Message-ID: <CAOtMX2jyDvsN89NETYthXCdKWHXU8wenOc6Uzn0coqZTDFS2ZQ@mail.gmail.com> In-Reply-To: <9c5b2002-99e7-4ae4-8a70-7f2a5b0a68e4@omnilan.de> References: <908d635a-ab6f-42cf-89ac-f805d2048c4d@omnilan.de> <CAOtMX2iNrvwp8S1_e%2BZvttKG5Y_F-ja=n30k4BK1VzWkS7Dkig@mail.gmail.com> <91fbc680-5496-48da-9d1d-4b2c806cf82f@omnilan.de> <CAOtMX2j0VaojtrF_t26aCA=RgwYOQovcaByMwmEW2aFvkrAPkA@mail.gmail.com> <41d077bb-dd57-492c-92cd-fadee8e680cc@omnilan.de> <CAOtMX2jraMCtZEJxM9XkWuU9Ay66g72Wdtw7idH7hbVzTkrg5A@mail.gmail.com> <9c5b2002-99e7-4ae4-8a70-7f2a5b0a68e4@omnilan.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jan 5, 2025 at 5:47=E2=80=AFAM Harry Schmalzbauer <freebsd@omnilan.= de> wrote: > > On 2025-01-04 22:53, Alan Somers wrote: > > On Sat, Jan 4, 2025 at 2:39=E2=80=AFPM Harry Schmalzbauer <freebsd@omni= lan.de> wrote: > .... > >> For now I set the setuid bit to JAILROOT/bin/mount_fusefs. > >> > >> **This works fine** (signing in via RDP as unprivileged user (with > >> freerdp/remmina) allows me to access my shared remote-client directory > >> in the jailed XFCE4 session). > ... > > > > What is the value of enforce_statfs in your jail? It must be < 2 for > > mounting within the jail to work. > > Thanks for your help. The jail config is fine (enforce_statfs is set to > 1 in that case), like mentioned utilizing mount_fusefs(8) is working as > expected in my jail as long as the process invoking it is privileged. > > My issue is that vfs.usermount doesn't affect how mount requests from > jails are handled. > Even if setting vfs.usermount to 1 on my host would enable unprivileged > users in my jail to mount_fusefs(8), this setting has unwanted side > effects - I don't want users to mount anything on the host. > > *I don't know if it is intentional* that vfs.usermount is ignored for > jailed processes. > What we really would need is a jail-only setting allowing user mounts. > Global for all jails might be sufficient, since you have to selectively > allow.mount each fs-type separately. > Per jail would be the best implementation. > > Maybe I oversee any other security impact of allowing unprivileged > processes to mount from/inside jails!?! > > For my current use case, I could tolerate vfs.usermount affecting the > host security because no users other than the su(1)-permitted admin can > sign in. > But I'm not sure I can cope with the security implication having the > /sbin/mount_fusefs SUID permission bit set, which is my current solution > (which makes user-mounting RDPDR fusefs working!). > > Thanks, > -harry Looking through the code, I see that revision 7533652025eb80bc769f019ba6cb82c4f500443d is the first that ever allowed mounting from within a jail. But it only allowed mounting by jailed privileged users. There's no public record of the code review, so I don't know what was discussed. I'd be wary of granting extra privileges to jails, though. Jail security can be tricky. There are a number of ways, for example, for a jailed privileged user to collaborate with an unjailed unprivileged user in order to gain root outside of the jail. I will note that there's another option. mac(9) can choose to allow an operation that would otherwise be disallowed. So it would be possible to write a rule that would allow a user (perhaps a specific user, or all users, or a range, etc) to mount a file system. mac_bsdextended doesn't have that ability, but it could be added. mac_biba, mac_lowmac, and mac_mls all do. However, I don't know those well enough to write rules for them. You'll have to do some research there. Hope that helps, -Alan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOtMX2jyDvsN89NETYthXCdKWHXU8wenOc6Uzn0coqZTDFS2ZQ>