Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 20 Oct 1997 21:10:02 -0700 (PDT)
From:      Bruce Evans <bde@zeta.org.au>
To:        freebsd-bugs
Subject:   Re: kern/4810: Access checks in msdosfs_mount()
Message-ID:  <199710210410.VAA16296@hub.freebsd.org>

next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/4810; it has been noted by GNATS.

From: Bruce Evans <bde@zeta.org.au>
To: FreeBSD-gnats-submit@FreeBSD.ORG, pavel@slac.stanford.edu
Cc:  Subject: Re: kern/4810: Access checks in msdosfs_mount()
Date: Tue, 21 Oct 1997 13:58:18 +1000

 >>Description:
 >
 >	I noticed this problem because I use a setuid wrapper to allow
 >non-privileged users to mount /def/fd0 as /floppy.  I have noticed that
 >this wrapper works fine for the cd9660 fs (/dev/wcd0c on /cdrom), but
 >fails for msdos fs unless the setuid wrapper is executed by root.
 >
 >I have now traced to problem to the following code in msdosfs_vfsops.c:
 >------------------------------------------------------
 >	/*
 >	 * check to see that the user in owns the target directory.
 >	 * Note the very XXX trick to make sure we're checking as the
 >	 * real user -- were mount() executable by anyone, this wouldn't
 >	 * be a problem.
 >...
 >This code seems intent on checking only the real uid.  Perhaps that
 >semantics is required for some part of the msdosfs security model, but
 >I find it incovenient and I can't see the justification.  If the euid
 >of the process doing the mount is root, then I think the mount should
 >be allowed.
 
 In -current, mount(2) _is_ executable by anyone, and anyone can mount
 anything (nosuid nodev) on any directory that they own.  Only the euid
 is checked (except in poorly maintained file systems like msdosfs).
 This is too insecure for a release (anyone can deny service by mounting
 any unmounted device) but it shows what msdosfs should do.
 
 This doesn't work in 2.2, because mount_msdos(8) is setuid root to
 get around the restriction on mount(2), so the euid is always root in
 msdosfs_mount().  The "very XXX trick" attempts to recover the previous
 euid by using the ruid.
 
 Fix for 2.2: remove the setuid bit from mount_msdos and change the ruid
 checking to euid checking.  Then add the desired insecurities using a
 wrapper.
 
 Fix for -current: remove the setuid bit from mount_msdos and remove all
 uid checking from msdosfs.  Somehow fix the insecurities (require at
 least read permission on the device being opened?).
 
 Bruce



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199710210410.VAA16296>