Date: Fri, 07 Jul 2023 12:25:44 +0000 From: Jonathan Vasquez <jon@xyinn.org> To: freebsd@igalic.co, freebsd-current@freebsd.org Subject: Re: mount_nullfs: /var/run/log: must be either a file or directory Message-ID: <l70y4UqUGgA9s7JY7J7ZVRQgkHlwmiXp0w2Uqgc5wXna69XgIe0WLXaw1Nyyc12kRFFNDJ3MHKA1DB6wOIrEU1AUqeXyo8VvyLY0ADyC2fk=@xyinn.org> In-Reply-To: <cg0tpJtfXrnRHcTxPtgVhcQwoRWY-vr3PMrATaT7k0vvSuDZxlhe81qjkvJJh-LcLyvK4NOMkaFX70IG-tZY9zMA0giGPEfRdQIxPduXogs=@igalic.co> References: <cg0tpJtfXrnRHcTxPtgVhcQwoRWY-vr3PMrATaT7k0vvSuDZxlhe81qjkvJJh-LcLyvK4NOMkaFX70IG-tZY9zMA0giGPEfRdQIxPduXogs=@igalic.co>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] I'm not a security expert but I would think that null mounting a directory, file, or socket (if/when supported) would always have the chance of being a security problem if the target destination where it's being mounted in is untrusted (like mjg said in the review), but of course that is a decision we need to make ourselves based on our requirements and threat model. If we are null mounting a directory (combined with a ZFS dataset) in a private LAN and exporting that over NFS within the LAN, I would say that isn't a security problem. The same would apply if I were to (for whatever reason) want to share a socket across the network. So overall, it depends how it's being used like a lot of things in life. Jonathan Vasquez PGP: 34DA 858C 1447 509E C77A D49F FB85 90B7 C4CA 5279 Sent with ProtonMail Secure Email -------- Original Message -------- On Jul 7, 2023, 08:10, Mina Galić wrote: > Hi folks, "recently", we added support for null-mounting single files: https://freshbsd.org/freebsd/src/commit/521fbb722c33663cf00a83bca70ad7cb790687b3 This code restricts the mountable … thing to: if ((lowerrootvp->v_type != VDIR && lowerrootvp->v_type != VREG) || … As the author of the abandoned https://reviews.freebsd.org/D27411 which attempted to add facility to syslog's rc to provide (selected) jails with a log socket, it was pointed out to me that this is a big security risk: https://reviews.freebsd.org/D27411#882100 so I was wondering if null mounts are the same kind of security hazard, or if not allowing sockets is just the oversight of a first approximation of this patch? Kind regards, Mina Galić Try PkgBase: https://alpha.pkgbase.live/ [-- Attachment #2 --] I'm not a security expert but I would think that null mounting a directory, file, or socket (if/when supported) would always have the chance of being a security problem if the target destination where it's being mounted in is untrusted (like mjg said in the review), but of course that is a decision we need to make ourselves based on our requirements and threat model. If we are null mounting a directory (combined with a ZFS dataset) in a private LAN and exporting that over NFS within the LAN, I would say that isn't a security problem. The same would apply if I were to (for whatever reason) want to share a socket across the network.<br><br>So overall, it depends how it's being used like a lot of things in life.<br><br><br><div>Jonathan Vasquez<br /></div><div>PGP: 34DA 858C 1447 509E C77A D49F FB85 90B7 C4CA 5279<br /></div><div>Sent with ProtonMail Secure Email<br /></div><div><br /></div><br><br><br><br><br><br>-------- Original Message --------<br>On Jul 7, 2023, 08:10, Mina Galić < freebsd@igalic.co> wrote:<blockquote class="protonmail_quote"><br>Hi folks, "recently", we added support for null-mounting single files: https://freshbsd.org/freebsd/src/commit/521fbb722c33663cf00a83bca70ad7cb790687b3 This code restricts the mountable … thing to: if ((lowerrootvp->v_type != VDIR && lowerrootvp->v_type != VREG) || … As the author of the abandoned https://reviews.freebsd.org/D27411 which attempted to add facility to syslog's rc to provide (selected) jails with a log socket, it was pointed out to me that this is a big security risk: https://reviews.freebsd.org/D27411#882100 so I was wondering if null mounts are the same kind of security hazard, or if not allowing sockets is just the oversight of a first approximation of this patch? Kind regards, Mina Galić Try PkgBase: https://alpha.pkgbase.live/ </div>help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?l70y4UqUGgA9s7JY7J7ZVRQgkHlwmiXp0w2Uqgc5wXna69XgIe0WLXaw1Nyyc12kRFFNDJ3MHKA1DB6wOIrEU1AUqeXyo8VvyLY0ADyC2fk=>