From owner-freebsd-arch@FreeBSD.ORG  Sat Jul 19 19:06:15 2003
Return-Path: <owner-freebsd-arch@FreeBSD.ORG>
Delivered-To: freebsd-arch@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E49BE37B404
	for <arch@freebsd.org>; Sat, 19 Jul 2003 19:06:15 -0700 (PDT)
Received: from salmon.maths.tcd.ie (salmon.maths.tcd.ie [134.226.81.11])
	by mx1.FreeBSD.org (Postfix) with SMTP id B5C2343F75
	for <arch@freebsd.org>; Sat, 19 Jul 2003 19:06:14 -0700 (PDT)
	(envelope-from iedowse@maths.tcd.ie)
Received: from walton.maths.tcd.ie by salmon.maths.tcd.ie with SMTP
          id <aa17802@salmon>; 20 Jul 2003 03:06:13 +0100 (BST)
To: arch@freebsd.org
Date: Sun, 20 Jul 2003 03:06:13 +0100
From: Ian Dowse <iedowse@maths.tcd.ie>
Message-ID: <200307200306.aa17802@salmon.maths.tcd.ie>
Subject: *statfs exposure of file system IDs to non-root users
X-BeenThere: freebsd-arch@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussion related to FreeBSD architecture
	<freebsd-arch.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
	<mailto:freebsd-arch-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-arch>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Help: <mailto:freebsd-arch-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
	<mailto:freebsd-arch-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Jul 2003 02:06:16 -0000


In changing umount(8) to use statfs(2), I just noticed that the
various *statfs calls hide the filesystem IDs from non-root users:

	if (suser(td)) {
		bcopy(sp, &sb, sizeof(sb));
		sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0;
		sp = &sb;
	}

This was added in vfs_syscalls.c revision 1.61 (March 1997) and
came from OpenBSD. I guess the reason was to hide information that
gets used in NFS filehandles, but it doesn't do us any good now as
you can get the real IDs from getfsstat() as a normal user. Being
able to get and compare file system IDs is useful for umount, and
umount can be used by non-root users when vfs.usermount is set.

Is there a good reason not to delete this fsid hiding? I guess if
we do want to keep the values used in NFS handles secret while still
exposing useful IDs to userland, we could add a separate user-side
fsid to struct mount and use that instead. The IDs for NFS need to
be persistent across reboots, but the user ones don't. Note that
NFS filesystems use a hidden generation number for each file too,
so just knowing the filesystem ID isn't enough on its own to form
a valid handle.

Ian