From owner-freebsd-hackers@FreeBSD.ORG Tue Apr 4 06:51:35 2006 Return-Path: X-Original-To: hackers@FreeBSD.org Delivered-To: freebsd-hackers@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A4D0716A401; Tue, 4 Apr 2006 06:51:35 +0000 (UTC) (envelope-from marcus@FreeBSD.org) Received: from creme-brulee.marcuscom.com (creme-brulee.marcuscom.com [24.172.16.118]) by mx1.FreeBSD.org (Postfix) with ESMTP id 158C243D49; Tue, 4 Apr 2006 06:51:34 +0000 (GMT) (envelope-from marcus@FreeBSD.org) Received: from shumai.marcuscom.com (shumai.marcuscom.com [192.168.1.4]) by creme-brulee.marcuscom.com (8.13.6/8.13.6) with ESMTP id k346pd9P025661; Tue, 4 Apr 2006 02:51:39 -0400 (EDT) (envelope-from marcus@FreeBSD.org) From: Joe Marcus Clarke To: Robert Watson In-Reply-To: <20060403232730.E76562@fledge.watson.org> References: <1144042356.824.16.camel@shumai.marcuscom.com> <20060403104309.Y76562@fledge.watson.org> <44316CAB.2040706@FreeBSD.org> <20060403232730.E76562@fledge.watson.org> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-K/Cgq+fdqB8B1GWLTuHp" Organization: FreeBSD, Inc. Date: Tue, 04 Apr 2006 02:51:33 -0400 Message-Id: <1144133493.9725.36.camel@shumai.marcuscom.com> Mime-Version: 1.0 X-Mailer: Evolution 2.4.2.1 FreeBSD GNOME Team Port Cc: hackers@FreeBSD.org Subject: Re: RFC: Adding a ``user'' mount option X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Apr 2006 06:51:35 -0000 --=-K/Cgq+fdqB8B1GWLTuHp Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Mon, 2006-04-03 at 23:30 +0100, Robert Watson wrote: > On Mon, 3 Apr 2006, Joe Marcus Clarke wrote: >=20 > >> I would suggest that an extremely careful security audit of the usersp= ace=20 > >> and kernel mount and unmount code is due -- especially things like the= =20 > >> per-filesystem mount code (mount_nfs, etc). I'm not against the princ= iple=20 > >> of this though. > > > > Agreed. I was hoping to make this solution secure, flexible, and easy = to=20 > > use. >=20 > Sure. And if you don't commit bug fixes to mount, we'll know you haven't= =20 > tried looking very hard, because it seems very likely to me it has proble= ms=20 > :-). >=20 > >> Also, I'm not 100% sure we should make the getuid() check return a har= d=20 > >> error in user space. Let's continue to let the kernel code make the a= ccess=20 > >> control decision here. > > > > I did the check in user space so that I could read the fstab file, and = know=20 > > that the volume was allowed to be user-[un]mounted. I suppose, though,= that=20 > > I could set the flags in user space, then pass that to the kernel for t= he=20 > > actual access control decision as you say. >=20 > I'm not entirely clear on what ideal is, but one possibility is to allow = the=20 > user mount bit to determine whether the mount system call is invoked with= =20 > privilege. Thanks for the feedback. I'll try and release an updated diff this weekend that incorporates your suggestions, and I'll attempt the wildcard suggestion made by silby. Joe >=20 > Robert N M Watson >=20 --=20 Joe Marcus Clarke FreeBSD GNOME Team :: gnome@FreeBSD.org FreeNode / #freebsd-gnome http://www.FreeBSD.org/gnome --=-K/Cgq+fdqB8B1GWLTuHp Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQBEMhd1b2iPiv4Uz4cRAtKLAKCZgj4Q5H2wV3tqeEqyyaxpuQB8GgCbBv/n JvCLLeqH+1yjZpuEtdPt+80= =ml5G -----END PGP SIGNATURE----- --=-K/Cgq+fdqB8B1GWLTuHp--