Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 20 Dec 2024 00:03:33 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 283425] [nullfs] nosuid bypass
Message-ID:  <bug-283425-227-Gt3dEvIDBe@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-283425-227@https.bugs.freebsd.org/bugzilla/>
References:  <bug-283425-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D283425

--- Comment #6 from Sulev-Madis Silber <bugs-freebsd-org916@ketas.si.pri.ee=
> ---
(In reply to Konstantin Belousov from comment #5)
yes. it would confuse hell out of tools and users if some options appear to=
 be
configured and they are not. esp one that actually (try) to impose restrict=
ions
and are supposed to increase security, even if only a little bit

i honestly believed that lower fs limits are respected. unsure, from manpag=
e,
such things aren't very clear too

but what if it instead of lying of flags, it would actually use them? if you
mount null from ro fs, it won't become rw suddenly (i actually tried it).
perhaps this could be configured from somewhere

i mean, nullfs is popular in jails and unsure which is better way for it to
operate

but it should behave consistently

i wonder how many systems suddenly start reporting suid binaries from either
periodic or from some other ids tools since mount output just lied. might
actually have something there too. or just the fact that you think you have
those options configured. exec and suid was not only allowed but nothing
checked fses too since it's cheap and easy to check if fs even supports it

i realize that this is maybe not that good practice but confusion is also b=
ad
and everyone is human. luckily i outright tested what i configured. i expec=
ted
it to be nosuid, tried anyway, looked at mount, didn't get why it's still on

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-283425-227-Gt3dEvIDBe>