From owner-freebsd-current@FreeBSD.ORG Thu Jun 1 12:37:14 2006 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ED1F116B79B; Thu, 1 Jun 2006 12:37:14 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4636E43D45; Thu, 1 Jun 2006 12:37:13 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id BE56046BDB; Thu, 1 Jun 2006 08:37:10 -0400 (EDT) Date: Thu, 1 Jun 2006 13:37:10 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: =?ISO-8859-1?Q?Andr=E9_Braga?= In-Reply-To: <2ad73a0605311125h7ac8a927t33bbfadf9fe18c33@mail.gmail.com> Message-ID: <20060601133410.M37536@fledge.watson.org> References: <43E73330.8070101@freebsd.org> <43EB4C00.2030101@freebsd.org> <4417DD8D.3050201@freebsd.org> <4433CA53.5050000@freebsd.org> <444E13BA.8050902@freebsd.org> <4475C119.1020305@freebsd.org> <447C919B.20303@freebsd.org> <86bqteikj4.fsf@xps.des.no> <20060531133814.acykloyqhkcccg80@netchild.homeip.net> <2ad73a0605311125h7ac8a927t33bbfadf9fe18c33@mail.gmail.com> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-683816645-1149165430=:37536" X-Mailman-Approved-At: Thu, 01 Jun 2006 12:56:43 +0000 Cc: ozawa@ongs.co.jp, dkirhlarov@oilspace.com, freebsd-hackers@freebsd.org, =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= , Daichi GOTO , freebsd-fs@freebsd.org, freebsd-current@freebsd.org, kris@obsecurity.org, Alexander Leidinger Subject: Re: [ANN] unionfs patchset-13 release X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Jun 2006 12:37:19 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-683816645-1149165430=:37536 Content-Type: TEXT/PLAIN; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: QUOTED-PRINTABLE On Wed, 31 May 2006, Andr=E9 Braga wrote: > A post scriptum to the original message: > > The buggy behaviour won't affect the host system, but the jail could well= be=20 > compromised. I also have this feeling that ACLs also aren't respected ins= ide=20 > jails or can be overwritten as easily as shown below By "ACLs also aren't respected inside jails", do you mean, "ACLs don't work= in=20 jail", or do you mean, "ACLs don't work with unionfs"? They are believed= =20 firmly to work with jail, and if you have evidence to the contrary, a PR=20 pointer would be greatly appreciated so it can be investigated. I don't know much about the behavior of unionfs, but if VOP_ACCESS is passe= d=20 down properly through the stack, then ACLs should be implemented. There mi= ght=20 be problems if two file systems are stacked and have different access contr= ol=20 models. I don't know enough about unionfs to reason about how it does beha= ve,=20 or should behave. Unionfs seems to violate the notion of POLA, so I'm not= =20 sure how much POLA will help :-). Robert N M Watson > > Thanks, > Andr=E9 > > ---------------------- 8< ---------------------- > > Hi, > > Once again, thank you for your patch. > > I believe I have found a bug: > > If a file or directory has non-default flags and this directory is > mounted below a target point, the resulting union will not preserve > the directory flags. Worse, it will appear as if the file flags are > preserved, but they are not and as soon as a file that should not be > modified gets modified, the flags are reset to the default state on > the union mount. This could pose a *serious* security breach for > people running jails rooted on unionfs mounts, like I intended to. > > Test case: > (discrepancies are marked by a line containing "**** NOTICE" and > aligned to fixed-length font display) > > # cd /tmp > # mkdir -p test/a test/b/bb test/b/cc > # touch test/b/cc/dd > # chflags schg test/b/bb/ > # chflags uappnd test/b/cc/dd > # ls -Rlo > total 2 > drwxr-xr-x 4 root wheel - 512 Apr 29 08:12 test > > ./test: > total 4 > drwxr-xr-x 2 root wheel - 512 Apr 29 08:12 a > drwxr-xr-x 4 root wheel - 512 Apr 29 08:12 b > > ./test/a: > total 0 > > ./test/b: > total 4 > drwxr-xr-x 2 root wheel schg 512 Apr 29 08:12 bb > **** NOTICE 1a ^^^^ **** > drwxr-xr-x 2 root wheel - 512 Apr 29 08:12 cc > > ./test/b/bb: > total 0 > > ./test/b/cc: > total 0 > -rw-r--r-- 1 root wheel uappnd 0 Apr 29 08:12 dd > **** NOTICE 2a ^^^^^^ **** > # echo ee >test/b/cc/dd > test/b/cc/dd: Operation not permitted. > # echo ee >> test/b/cc/dd > **** NOTICE: this is the intended behavior for the 'uappnd' flag **** > # cat test/b/cc/dd > ee > # > # mount_unionfs -c transparent -b test/b test/a > # ls -Rlo > total 2 > drwxr-xr-x 4 root wheel - 512 Apr 29 08:12 test > > ./test: > total 4 > drwxr-xr-x 2 root wheel - 512 Apr 29 08:12 a > drwxr-xr-x 4 root wheel - 512 Apr 29 08:12 b > > ./test/a: > total 4 > drwxr-xr-x 2 root wheel - 512 Apr 29 08:12 bb > **** NOTICE 1b ^^^ **** > drwxr-xr-x 2 root wheel - 512 Apr 29 08:12 cc > > ./test/a/bb: > total 0 > > ./test/a/cc: > total 2 > -rw-r--r-- 1 root wheel uappnd 3 Apr 29 08:15 dd > **** NOTICE 2b (LOOKS OK) ^^^^^^ **** > ./test/b: > total 4 > drwxr-xr-x 2 root wheel schg 512 Apr 29 08:12 bb > drwxr-xr-x 2 root wheel - 512 Apr 29 08:12 cc > > ./test/b/bb: > total 0 > > ./test/b/cc: > total 2 > -rw-r--r-- 1 root wheel uappnd 3 Apr 29 08:15 dd > # echo ff > test/a/cc/dd > # cat test/a/cc/dd > ff > **** NOTICE: very wrong behavior for the 'uappnd' flag! **** > # ls -lo test/a/cc/dd > -rw-r--r-- 1 root wheel - 3 Apr 29 08:20 test/a/cc/dd > **** NOTICE 2c (NO FLAG!) ^^^ **** > # echo gg >test/b/cc/hh > # chflags schg test/b/cc/hh > # rm test/b/cc/hh > override rw-r--r-- root/wheel schg for test/b/cc/hh? yes > rm: test/b/cc/hh: Operation not permitted > **** NOTICE 3a ^^^^^^^^^^^^^^^^^^^^^^^ **** > # ls -lo test/a/cc/hh > -rw-r--r-- 1 root wheel schg 3 Apr 29 08:24 test/a/cc/hh > **** NOTICE 3b ^^^^ **** > # rm test/a/cc/hh > override rw-r--r-- root/wheel schg for test/a/cc/hh? yes > **** NOTICE 3c (NO ERROR!) **** > # ls -lo test/a/cc/ > total 2 > -rw-r--r-- 1 root wheel - 3 Apr 29 08:20 dd > **** NOTICE 3d (the file is gone despite immutable flags seemingly set!)= =20 > **** > > End of test case > > It makes no difference to specify '-c tradicional'. > > I skimmed over the patch code and have noticed no file flags or > director[y flags] are indeed [ever] copied to the shadow files. > [Edit: spelling] > > I'd really appreciate if you could fix that for the patch version 12. > > Thank you very much! > Andr=E9 > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org= " > --0-683816645-1149165430=:37536--