From owner-freebsd-fs@FreeBSD.ORG Sat Jan 31 05:30:37 2004 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C82916A4CE; Sat, 31 Jan 2004 05:30:37 -0800 (PST) Received: from milla.ask33.net (milla.ask33.net [217.197.166.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 52F8543D3F; Sat, 31 Jan 2004 05:30:35 -0800 (PST) (envelope-from nick@milla.ask33.net) Received: by milla.ask33.net (Postfix, from userid 1001) id 827483ABB53; Sat, 31 Jan 2004 14:31:59 +0100 (CET) Date: Sat, 31 Jan 2004 14:31:59 +0100 From: Pawel Jakub Dawidek To: freebsd-fs@freebsd.org Message-ID: <20040131133158.GE72053@garage.freebsd.pl> References: <20040126230034.GK565@garage.freebsd.pl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="5CUMAwwhRxlRszMD" Content-Disposition: inline In-Reply-To: <20040126230034.GK565@garage.freebsd.pl> X-PGP-Key-URL: http://garage.freebsd.pl/jules.asc X-OS: FreeBSD 4.8-RELEASE-p13 i386 X-URL: http://garage.freebsd.pl User-Agent: Mutt/1.5.1i cc: rwatson@freebsd.org Subject: Re: Analysis of mounts/unmounts issues. X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Jan 2004 13:30:37 -0000 --5CUMAwwhRxlRszMD Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 27, 2004 at 12:00:34AM +0100, Pawel Jakub Dawidek wrote: +> This is a short analysis of mount(2)/unmount(2) problems related to +> usermounts, unprivileged root and jails. +>=20 +> I've found many issues related to this topic, here is a list of those is= sues: +>=20 +> 1. Root from inside of jail is able to unmount _any_ file system +> (except /) from even outside of jail. +> 2. Even if security.bsd.suser is set to 0, root is able to unmount +> file systems mounted by provileged root (except /). +> 3. If usermount is set to 1, user from inside of jail is able to +> mount file system (if support for required file system is +> compiled in kernel of loaded as a kld module), but with +> MNT_NOSUID and MNT_NODEV flags set. +> Insufficient check is in two place: for normal mounts and +> for mounts with MNT_UPDATE flag set. +> 4. Let's assume that usermount is set to 1 and user mounts file system, +> now we're setting usermount to 0 and user is still able to +> unmount file system mounted by him previously. +>=20 +> My fix deny any mounts/unmounts inside of jail and deny mounts/unmounts +> for unprivileged root, because there is no chance to check if +> security.bsd.suser was 0 or 1 while file system was mounted. +> Patch is here: +>=20 +> http://garage.freebsd.pl/patches/vfs_mount.c.2.patch +>=20 +> Things to discuss. +>=20 +> Should we permit mounts/unmounts inside of jail if usermount is set to 1? +> Maybe there should be 'jailmount' variable to control this? +>=20 +> Should we store in mount structure value of security.bsd.suser while +> file system is mounted to permit unmount and mount with MNT_UPDATE flag = set +> operations for unprivileged root? This will give as a complete solution. Ok, I got complete solution. While I was looking on mksnap_ffs issue, I've found that we've MNT_USER flag to mark file systems mounted by unprivileged users. This flag is not used currently. Patch is here: http://garage.freebsd.pl/patches/mount.patch Patch made use of MNT_USER flag, so if file system is mounted by unprivileg= ed root, it can be unmounted by him as well. Mount(8) has been modified to print 'mounted by ' for unprivileged root also. --=20 Pawel Jakub Dawidek pawel@dawidek.net UNIX Systems Programmer/Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am! http://cerber.sourceforge.net --5CUMAwwhRxlRszMD Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBQBuuTj/PhmMH/Mf1AQEskgP5AfWJbUeLRZWRhcAas/ifhTCUq0QuDOm7 q9xrCzcwlkgbagLTHasd/Csrnzy07XQYkq/vWFRPwfri0dZ55lTRv/4jHMUF3u0x n1yQOqr0oSwYldLJLtCF3GSajxsjphvnBwl10C3rZdBqPnyn2cGOuaQUFYnKNPck KVernakb5w0= =vulA -----END PGP SIGNATURE----- --5CUMAwwhRxlRszMD--