From owner-freebsd-hackers@FreeBSD.ORG Mon Apr 3 22:30:31 2006 Return-Path: X-Original-To: hackers@FreeBSD.org Delivered-To: freebsd-hackers@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AAB2D16A481; Mon, 3 Apr 2006 22:30:31 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id B4F7943D5C; Mon, 3 Apr 2006 22:30:25 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id D24B146C54; Mon, 3 Apr 2006 18:30:23 -0400 (EDT) Date: Mon, 3 Apr 2006 23:30:23 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Joe Marcus Clarke In-Reply-To: <44316CAB.2040706@FreeBSD.org> Message-ID: <20060403232730.E76562@fledge.watson.org> References: <1144042356.824.16.camel@shumai.marcuscom.com> <20060403104309.Y76562@fledge.watson.org> <44316CAB.2040706@FreeBSD.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: hackers@FreeBSD.org Subject: Re: RFC: Adding a ``user'' mount option X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Apr 2006 22:30:31 -0000 On Mon, 3 Apr 2006, Joe Marcus Clarke wrote: >> I would suggest that an extremely careful security audit of the userspace >> and kernel mount and unmount code is due -- especially things like the >> per-filesystem mount code (mount_nfs, etc). I'm not against the principle >> of this though. > > Agreed. I was hoping to make this solution secure, flexible, and easy to > use. Sure. And if you don't commit bug fixes to mount, we'll know you haven't tried looking very hard, because it seems very likely to me it has problems :-). >> Also, I'm not 100% sure we should make the getuid() check return a hard >> error in user space. Let's continue to let the kernel code make the access >> control decision here. > > I did the check in user space so that I could read the fstab file, and know > that the volume was allowed to be user-[un]mounted. I suppose, though, that > I could set the flags in user space, then pass that to the kernel for the > actual access control decision as you say. I'm not entirely clear on what ideal is, but one possibility is to allow the user mount bit to determine whether the mount system call is invoked with privilege. Robert N M Watson