From nobody Sun Jan 5 16:19:26 2025 X-Original-To: freebsd-fs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YR2Zh5Sbxz5jv7d for ; Sun, 05 Jan 2025 16:19:40 +0000 (UTC) (envelope-from asomers@gmail.com) Received: from mail-ed1-f46.google.com (mail-ed1-f46.google.com [209.85.208.46]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YR2Zh3CGcz44MT for ; Sun, 5 Jan 2025 16:19:40 +0000 (UTC) (envelope-from asomers@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-ed1-f46.google.com with SMTP id 4fb4d7f45d1cf-5d3bbb0f09dso23942818a12.2 for ; Sun, 05 Jan 2025 08:19:40 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736093979; x=1736698779; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=zo+OELOgZYgFuXbLVptE83zv/SdN/CvGIotM7VEluf8=; b=EhWw69P4cv7CIgIi6+zBLbjzvS1tcok8vKmGliWzXaqJKH1Lg72hOH5xeNJtxfszfT n9dPKaisuP3WsYNdwa4ZYKldjCfTb4dxu1RPDCd5SJPnBPrQWkA7i1S54ePohwku11rE D8K8F3Ql65imMDN7GIaE3niJ3k0HDnN3yCv+0SdIbohgN3dP2cFHgaE5OmUCKP1hK+K9 WYxPf9n7HaMVW4dNfiIl/6FOtq2/JMQqS5sSG5xnNP05YYiCFoLXRznv6LZ8l35lc4rb Zavr0z5A09v7sAWOedSpitzemp5o1zHDE52h3jebvDFI9gCnvMzyoExMb2sBGwOAf03D 9nhg== X-Gm-Message-State: AOJu0Yx0lSly2cYQ+eUsoVergGqMq65mkSi13B9jD3TTaeGABHlOqmhe wyrkeQ06n0GhSJbiL7x3zUGEEcqhQzjjRnrq+422xfzIb8OSzl0YPFW+exwRly0CANz4rjEeLOr ONkWXudTykMjevDiofdO4TQAGjVS0+Q== X-Gm-Gg: ASbGncuY+4ospjkx1IXolNp2BVKeFzUCqqiJUtnKgYk/Ng4fxkswr2eAIKe1OMAB35V SBgygcwSCAzU0ZLvg57tkQJbrFouoi5HX0GYIrg== X-Google-Smtp-Source: AGHT+IGtbVO7D8b1xi3B60rJS35jr9MlZcMh2dF7dB9EGzzHDEZ5nQpTlDWtgJc/Vq7JRKYxQDs2mz4jgKUGuKzfnc0= X-Received: by 2002:a05:6402:2346:b0:5d3:bc1d:e56b with SMTP id 4fb4d7f45d1cf-5d81ddfdf76mr42069072a12.16.1736093978526; Sun, 05 Jan 2025 08:19:38 -0800 (PST) List-Id: Filesystems List-Archive: https://lists.freebsd.org/archives/freebsd-fs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-fs@FreeBSD.org MIME-Version: 1.0 References: <908d635a-ab6f-42cf-89ac-f805d2048c4d@omnilan.de> <91fbc680-5496-48da-9d1d-4b2c806cf82f@omnilan.de> <41d077bb-dd57-492c-92cd-fadee8e680cc@omnilan.de> <9c5b2002-99e7-4ae4-8a70-7f2a5b0a68e4@omnilan.de> In-Reply-To: <9c5b2002-99e7-4ae4-8a70-7f2a5b0a68e4@omnilan.de> From: Alan Somers Date: Sun, 5 Jan 2025 09:19:26 -0700 Message-ID: Subject: Re: jails and fusefs - D16371 question regarding unprivileged user To: Harry Schmalzbauer Cc: freebsd-fs@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4YR2Zh3CGcz44MT X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US] On Sun, Jan 5, 2025 at 5:47=E2=80=AFAM Harry Schmalzbauer wrote: > > On 2025-01-04 22:53, Alan Somers wrote: > > On Sat, Jan 4, 2025 at 2:39=E2=80=AFPM Harry Schmalzbauer wrote: > .... > >> For now I set the setuid bit to JAILROOT/bin/mount_fusefs. > >> > >> **This works fine** (signing in via RDP as unprivileged user (with > >> freerdp/remmina) allows me to access my shared remote-client directory > >> in the jailed XFCE4 session). > ... > > > > What is the value of enforce_statfs in your jail? It must be < 2 for > > mounting within the jail to work. > > Thanks for your help. The jail config is fine (enforce_statfs is set to > 1 in that case), like mentioned utilizing mount_fusefs(8) is working as > expected in my jail as long as the process invoking it is privileged. > > My issue is that vfs.usermount doesn't affect how mount requests from > jails are handled. > Even if setting vfs.usermount to 1 on my host would enable unprivileged > users in my jail to mount_fusefs(8), this setting has unwanted side > effects - I don't want users to mount anything on the host. > > *I don't know if it is intentional* that vfs.usermount is ignored for > jailed processes. > What we really would need is a jail-only setting allowing user mounts. > Global for all jails might be sufficient, since you have to selectively > allow.mount each fs-type separately. > Per jail would be the best implementation. > > Maybe I oversee any other security impact of allowing unprivileged > processes to mount from/inside jails!?! > > For my current use case, I could tolerate vfs.usermount affecting the > host security because no users other than the su(1)-permitted admin can > sign in. > But I'm not sure I can cope with the security implication having the > /sbin/mount_fusefs SUID permission bit set, which is my current solution > (which makes user-mounting RDPDR fusefs working!). > > Thanks, > -harry Looking through the code, I see that revision 7533652025eb80bc769f019ba6cb82c4f500443d is the first that ever allowed mounting from within a jail. But it only allowed mounting by jailed privileged users. There's no public record of the code review, so I don't know what was discussed. I'd be wary of granting extra privileges to jails, though. Jail security can be tricky. There are a number of ways, for example, for a jailed privileged user to collaborate with an unjailed unprivileged user in order to gain root outside of the jail. I will note that there's another option. mac(9) can choose to allow an operation that would otherwise be disallowed. So it would be possible to write a rule that would allow a user (perhaps a specific user, or all users, or a range, etc) to mount a file system. mac_bsdextended doesn't have that ability, but it could be added. mac_biba, mac_lowmac, and mac_mls all do. However, I don't know those well enough to write rules for them. You'll have to do some research there. Hope that helps, -Alan