From owner-freebsd-hackers Tue Aug 17 22: 8:45 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from mail-out1.apple.com (mail-out1.apple.com [17.254.0.52]) by hub.freebsd.org (Postfix) with ESMTP id BF20D14D8B for ; Tue, 17 Aug 1999 22:08:41 -0700 (PDT) (envelope-from wsanchez@scv4.apple.com) Received: from mailgate2.apple.com ([17.129.100.225]) by mail-out1.apple.com (8.8.5/8.8.5) with ESMTP id WAA41752 for ; Tue, 17 Aug 1999 22:08:29 -0700 Received: from scv4.apple.com (scv4.apple.com) by mailgate2.apple.com (Content Technologies SMTPRS 2.0.15) with ESMTP id ; Tue, 17 Aug 1999 22:08:25 -0700 Received: from joliet-jake (joliet-jake.apple.com [17.202.40.140]) by scv4.apple.com (8.9.3/8.9.3) with SMTP id WAA55082; Tue, 17 Aug 1999 22:08:24 -0700 Message-Id: <199908180508.WAA55082@scv4.apple.com> To: "Daniel O'Connor" Subject: Re: RE: Need some advice regarding portable user IDs Cc: umeshv@apple.com, warner.c@apple.com, pwd@apple.com, tech-userlevel@netbsd.org, freebsd-hackers@freebsd.org In-Reply-To: <199908180314.UAA47224@scv4.apple.com> Date: Tue, 17 Aug 1999 22:08:20 -0700 From: Wilfredo Sanchez Reply-To: wsanchez@apple.com X-Mailer-Extensions: SWSignature 1.3.2 X-Mailer: by Apple MailViewer (2.106) Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG | I suppose you could carry a UID, GID mapping on the disks, and have mount look | out for it.. If you had a 'removable disk' flag in /etc/fstab, then have the | kernel look for those files, and use umapfs with them on the mounted FS. It | could be rather dangerous security wise though.. Maybe have an option somewhere | else (sysctl?) that tells mount wether removable disks are allowed to have | files that are executable/devices/s[ug]id on it. (ie automatically have -o | noexec,nosuid,nodevice done automatically based on user prefs) I would assume that unless the user has the appropriate priveledges and specifies otherwise, that all non-local media will not honor setuid and so on. So far, I'm thinking of local media as: 1) The root device, (which holds the kernel, so you have to trust it) 2) Volumes that were initialized locally and have been kept local. 3) Any devices the administrator has specified as such. #1 is easy. #2 implies some way of knowing what's been kept local, which is hard. #3 sounds easy. Aside from the setuid business, I might want to toss out any UID from non-local media, since they may not be relevant. On the other hand, they might be, and it would be nice if I could keep them in that case. And all of this wants happen without user intervention where possible. Oh, about fstab... right... (This is just FYI.) So we have a program called autodiskmount, which at boot time looks for available media and mounts it (mount point is determined by the volume label). We don't use fstab normally, mostly because we want users to be able to attach a drive and not have to configure it; it just shows up when they boot. The Finder does a similar thing: it gets notified when new media is available and it will try to mount it. The present behaviour in Mac OS X Server is that everything mounted this way is trusted, though the Finder should be requesting nosetuid; I should check that. It's also possible that the kernel will number drives in a different order (eg. /dev/sd0a this boot might be /dev/sd1a next boot), particularly if you are shuffling drives around. (Remember that hot-swap complicates this.) So a string like "/dev/sd0a" in fstab is fragile, and it works out better if we keep that information on the mounted media rather than on the root volume. -Fred -- Wilfredo Sanchez, wsanchez@apple.com Apple Computer, Inc., Core Operating Systems / BSD Technical Lead, Darwin Project 1 Infinite Loop, 302-4K, Cupertino, CA 95014 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message