From owner-freebsd-arch@FreeBSD.ORG Sun Jul 20 09:37:06 2003 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0B2BA37B401 for ; Sun, 20 Jul 2003 09:37:06 -0700 (PDT) Received: from ns1.gnf.org (ns1.gnf.org [63.196.132.67]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0AFC443F93 for ; Sun, 20 Jul 2003 09:37:05 -0700 (PDT) (envelope-from gtetlow@gnf.org) Received: from EXCHCLUSTER01.lj.gnf.org (exch02.lj.gnf.org [172.25.10.20]) by ns1.gnf.org (8.12.8p1/8.12.8) with ESMTP id h6KGb4tF034624 for ; Sun, 20 Jul 2003 09:37:04 -0700 (PDT) (envelope-from gtetlow@gnf.org) Received: from roark.gnf.org ([172.25.24.15]) by EXCHCLUSTER01.lj.gnf.org with Microsoft SMTPSVC(5.0.2195.5329); Sun, 20 Jul 2003 09:37:04 -0700 Received: from roark.gnf.org (localhost [127.0.0.1]) by roark.gnf.org (8.12.9/8.12.9) with ESMTP id h6KGb4i2000184; Sun, 20 Jul 2003 09:37:04 -0700 (PDT) (envelope-from gtetlow@gnf.org) Received: (from gtetlow@localhost) by roark.gnf.org (8.12.9/8.12.9/Submit) id h6KGb4iP000183; Sun, 20 Jul 2003 09:37:04 -0700 (PDT) Date: Sun, 20 Jul 2003 09:37:03 -0700 From: Gordon Tetlow To: Ian Dowse Message-ID: <20030720163703.GF12996@roark.gnf.org> References: <200307200306.aa17802@salmon.maths.tcd.ie> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="14PCYtZiSn5RZRtk" Content-Disposition: inline In-Reply-To: <200307200306.aa17802@salmon.maths.tcd.ie> User-Agent: Mutt/1.4i X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . X-OriginalArrivalTime: 20 Jul 2003 16:37:04.0746 (UTC) FILETIME=[271D0CA0:01C34EDD] cc: arch@freebsd.org Subject: Re: *statfs exposure of file system IDs to non-root users X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Jul 2003 16:37:06 -0000 --14PCYtZiSn5RZRtk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Jul 20, 2003 at 03:06:13AM +0100, Ian Dowse wrote: >=20 > In changing umount(8) to use statfs(2), I just noticed that the > various *statfs calls hide the filesystem IDs from non-root users: >=20 > if (suser(td)) { > bcopy(sp, &sb, sizeof(sb)); > sb.f_fsid.val[0] =3D sb.f_fsid.val[1] =3D 0; > sp =3D &sb; > } >=20 > This was added in vfs_syscalls.c revision 1.61 (March 1997) and > came from OpenBSD. I guess the reason was to hide information that > gets used in NFS filehandles, but it doesn't do us any good now as > you can get the real IDs from getfsstat() as a normal user. Being > able to get and compare file system IDs is useful for umount, and > umount can be used by non-root users when vfs.usermount is set. >=20 > Is there a good reason not to delete this fsid hiding? I guess if > we do want to keep the values used in NFS handles secret while still > exposing useful IDs to userland, we could add a separate user-side > fsid to struct mount and use that instead. The IDs for NFS need to > be persistent across reboots, but the user ones don't. Note that > NFS filesystems use a hidden generation number for each file too, > so just knowing the filesystem ID isn't enough on its own to form > a valid handle. But it's that much less that an attacker needs to guess. Can you make it so a non-root user falls back to the old umount method, thereby not needing the fsid? I think if you have a hung remote NFS server, root probably needs to step in to check on things. -gordon --14PCYtZiSn5RZRtk Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE/GsUvRu2t9DV9ZfsRAlGyAJ484MRfYlyjLo+WXfugVtxuEA1+eACfSMai 5MhYb0kL15SG94L7cEZ2deU= =/Ml9 -----END PGP SIGNATURE----- --14PCYtZiSn5RZRtk--