Date: Sun, 20 Jul 2003 09:37:03 -0700 From: Gordon Tetlow <gordont@gnf.org> To: Ian Dowse <iedowse@maths.tcd.ie> Cc: arch@freebsd.org Subject: Re: *statfs exposure of file system IDs to non-root users Message-ID: <20030720163703.GF12996@roark.gnf.org> In-Reply-To: <200307200306.aa17802@salmon.maths.tcd.ie> References: <200307200306.aa17802@salmon.maths.tcd.ie>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
On Sun, Jul 20, 2003 at 03:06:13AM +0100, Ian Dowse wrote:
>
> In changing umount(8) to use statfs(2), I just noticed that the
> various *statfs calls hide the filesystem IDs from non-root users:
>
> if (suser(td)) {
> bcopy(sp, &sb, sizeof(sb));
> sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0;
> sp = &sb;
> }
>
> This was added in vfs_syscalls.c revision 1.61 (March 1997) and
> came from OpenBSD. I guess the reason was to hide information that
> gets used in NFS filehandles, but it doesn't do us any good now as
> you can get the real IDs from getfsstat() as a normal user. Being
> able to get and compare file system IDs is useful for umount, and
> umount can be used by non-root users when vfs.usermount is set.
>
> Is there a good reason not to delete this fsid hiding? I guess if
> we do want to keep the values used in NFS handles secret while still
> exposing useful IDs to userland, we could add a separate user-side
> fsid to struct mount and use that instead. The IDs for NFS need to
> be persistent across reboots, but the user ones don't. Note that
> NFS filesystems use a hidden generation number for each file too,
> so just knowing the filesystem ID isn't enough on its own to form
> a valid handle.
But it's that much less that an attacker needs to guess. Can you make
it so a non-root user falls back to the old umount method, thereby
not needing the fsid? I think if you have a hung remote NFS server,
root probably needs to step in to check on things.
-gordon
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
iD8DBQE/GsUvRu2t9DV9ZfsRAlGyAJ484MRfYlyjLo+WXfugVtxuEA1+eACfSMai
5MhYb0kL15SG94L7cEZ2deU=
=/Ml9
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030720163703.GF12996>