From owner-freebsd-questions@FreeBSD.ORG Mon Nov 8 00:38:32 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F01D16A4CE; Mon, 8 Nov 2004 00:38:32 +0000 (GMT) Received: from cheyenne.wixb.com (cheyenne.wixb.com [65.43.82.170]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5B95D43D48; Mon, 8 Nov 2004 00:38:29 +0000 (GMT) (envelope-from jbronson@wixb.com) Organization: Aurora Health Care, Milwaukee WI USA Message-Id: <6.2.0.13.2.20041107183743.00ac4e78@cheyenne.wixb.com> Date: Sun, 07 Nov 2004 18:38:29 -0600 To: Giorgos Keramidas From: "J.D. Bronson" In-Reply-To: <20041108000601.GB3200@gothmog.gr> References: <6.2.0.13.2.20041107144951.00abdf78@cheyenne.wixb.com> <20041108000601.GB3200@gothmog.gr> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed cc: freebsd-questions@freebsd.org Subject: Re: 5.3 tmpfs mount permissions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Nov 2004 00:38:32 -0000 At 06:06 PM 11/07/2004, Giorgos Keramidas wrote: >On 2004-11-07 14:52, "J.D. Bronson" wrote: > > I setup /etc/rc.conf as follows: > > > > tmpmfs="YES" > > tmpsize="512m" > > > > and it works - but I want to mount tmp with some additional > > options and wondering how to edit /etc/rc.d/tmp to accommodate this? > > > > I would like to add this: noexec,nosuid,nodev,nosymfollow > > when /tmp is mounted as tmpfs. > >I see no way to pass extra options to mdmfs from `/etc/rc.d/tmp'. One >way to do this is to modify /etc/rc.d/tmp locally, but this will create >maintenance work for every mergemaster run you do in the future. > > > Can anyone offer some advice - thanks :) > >The following patch is against CURRENT. Does this look like a good thing to >you? If it does, we could ask our rc.d gurus for their approval to commit it >to the tree. > >Then, all you'd have to do to pass special options to the tmpmfs mount would >be to add something like this to your `rc.conf': > > tmpoptions="noexec,nosuid,nodev,nosymfollow" > >----- tmpmfs-options.patch begins here ----- >Index: etc/rc.subr >=================================================================== >RCS file: /home/ncvs/src/etc/rc.subr,v >retrieving revision 1.31 >diff -u -r1.31 rc.subr >--- etc/rc.subr 30 Jul 2004 17:19:35 -0000 1.31 >+++ etc/rc.subr 7 Nov 2004 23:55:27 -0000 >@@ -1290,11 +1290,15 @@ > # $1 = size > # $2 = mount point > # $3 = (optional) bytes-per-inode >+# $4 = extra options > mount_md() { >+ if [ -n "$4" ]; then >+ opt="-o $4" >+ fi > if [ -n "$3" ]; then > bpi="-i $3" > fi >- /sbin/mdmfs $bpi -s $1 -M md $2 >+ /sbin/mdmfs $bpi $opt -s $1 -M md $2 > } > > fi >Index: etc/defaults/rc.conf >=================================================================== >RCS file: /home/ncvs/src/etc/defaults/rc.conf,v >retrieving revision 1.229 >diff -u -r1.229 rc.conf >--- etc/defaults/rc.conf 4 Nov 2004 13:33:29 -0000 1.229 >+++ etc/defaults/rc.conf 7 Nov 2004 23:57:34 -0000 >@@ -40,6 +40,7 @@ > removable_interfaces="" # Removable network interfaces for > /etc/pccard_ether. > tmpmfs="AUTO" # Set to YES to always create an mfs /tmp, NO to > never > tmpsize="20m" # Size of mfs /tmp if created >+tmpoptions="" # extra mount options for tmpfs > varmfs="AUTO" # Set to YES to always create an mfs /var, NO to > never > varsize="32m" # Size of mfs /var if created > populate_var="AUTO" # Set to YES to always (re)populate /var, NO to never >Index: etc/rc.d/tmp >=================================================================== >RCS file: /home/ncvs/src/etc/rc.d/tmp,v >retrieving revision 1.34 >diff -u -r1.34 tmp >--- etc/rc.d/tmp 7 Oct 2004 13:55:26 -0000 1.34 >+++ etc/rc.d/tmp 7 Nov 2004 23:56:31 -0000 >@@ -56,7 +56,7 @@ > echo "dropping into shell, ^D to continue anyway." > /bin/sh > else >- mount_md ${tmpsize} /tmp >+ mount_md ${tmpsize} /tmp ${tmpoptions} > chmod 01777 /tmp > fi > fi >Index: share/man/man5/rc.conf.5 >=================================================================== >RCS file: /home/ncvs/src/share/man/man5/rc.conf.5,v >retrieving revision 1.235 >diff -u -r1.235 rc.conf.5 >--- share/man/man5/rc.conf.5 4 Nov 2004 13:33:29 -0000 1.235 >+++ share/man/man5/rc.conf.5 8 Nov 2004 00:00:13 -0000 >@@ -240,6 +240,12 @@ > Controls the size of a created > .Pa /tmp > memory file system. >+.It Va tmpoptions >+Controls the >+.Xr mount 8 >+options of a created >+.Pa /tmp >+memory file system. > .It Va varmfs > Controls the creation of a > .Pa /var >@@ -3109,6 +3115,7 @@ > .Xr kldxref 8 , > .Xr lpd 8 , > .Xr mdconfig 8 , >+.Xr mount 8 , > .Xr mountd 8 , > .Xr moused 8 , > .Xr mrouted 8 , >----- tmpmfs-options.patch ends here ----- this looks GREAT. I think for security in mind, this would be a welcome addition to the FreeBSD OS - no ?? Thanks....I really appreciate this! -- J.D. Bronson Aurora Health Care // Information Services // Milwaukee, WI USA Office: 414.978.8282 // Email: jd@aurora.org // Pager: 414.314.8282