From owner-freebsd-bugs  Mon Oct 20 21:10:10 1997
Return-Path: <owner-freebsd-bugs>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id VAA16305
          for bugs-outgoing; Mon, 20 Oct 1997 21:10:10 -0700 (PDT)
          (envelope-from owner-freebsd-bugs)
Received: (from gnats@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id VAA16296;
          Mon, 20 Oct 1997 21:10:02 -0700 (PDT)
          (envelope-from gnats)
Date: Mon, 20 Oct 1997 21:10:02 -0700 (PDT)
Message-Id: <199710210410.VAA16296@hub.freebsd.org>
To: freebsd-bugs
Cc: 
From: Bruce Evans <bde@zeta.org.au>
Subject: Re: kern/4810: Access checks in msdosfs_mount()
Reply-To: Bruce Evans <bde@zeta.org.au>
Sender: owner-freebsd-bugs@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

The following reply was made to PR kern/4810; it has been noted by GNATS.

From: Bruce Evans <bde@zeta.org.au>
To: FreeBSD-gnats-submit@FreeBSD.ORG, pavel@slac.stanford.edu
Cc:  Subject: Re: kern/4810: Access checks in msdosfs_mount()
Date: Tue, 21 Oct 1997 13:58:18 +1000

 >>Description:
 >
 >	I noticed this problem because I use a setuid wrapper to allow
 >non-privileged users to mount /def/fd0 as /floppy.  I have noticed that
 >this wrapper works fine for the cd9660 fs (/dev/wcd0c on /cdrom), but
 >fails for msdos fs unless the setuid wrapper is executed by root.
 >
 >I have now traced to problem to the following code in msdosfs_vfsops.c:
 >------------------------------------------------------
 >	/*
 >	 * check to see that the user in owns the target directory.
 >	 * Note the very XXX trick to make sure we're checking as the
 >	 * real user -- were mount() executable by anyone, this wouldn't
 >	 * be a problem.
 >...
 >This code seems intent on checking only the real uid.  Perhaps that
 >semantics is required for some part of the msdosfs security model, but
 >I find it incovenient and I can't see the justification.  If the euid
 >of the process doing the mount is root, then I think the mount should
 >be allowed.
 
 In -current, mount(2) _is_ executable by anyone, and anyone can mount
 anything (nosuid nodev) on any directory that they own.  Only the euid
 is checked (except in poorly maintained file systems like msdosfs).
 This is too insecure for a release (anyone can deny service by mounting
 any unmounted device) but it shows what msdosfs should do.
 
 This doesn't work in 2.2, because mount_msdos(8) is setuid root to
 get around the restriction on mount(2), so the euid is always root in
 msdosfs_mount().  The "very XXX trick" attempts to recover the previous
 euid by using the ruid.
 
 Fix for 2.2: remove the setuid bit from mount_msdos and change the ruid
 checking to euid checking.  Then add the desired insecurities using a
 wrapper.
 
 Fix for -current: remove the setuid bit from mount_msdos and remove all
 uid checking from msdosfs.  Somehow fix the insecurities (require at
 least read permission on the device being opened?).
 
 Bruce