Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 1 Jun 2006 13:37:10 +0100 (BST)
From:      Robert Watson <rwatson@FreeBSD.org>
To:        =?ISO-8859-1?Q?Andr=E9_Braga?= <meianoite@gmail.com>
Cc:        ozawa@ongs.co.jp, dkirhlarov@oilspace.com, freebsd-hackers@freebsd.org, =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= <des@des.no>, Daichi GOTO <daichi@freebsd.org>, freebsd-fs@freebsd.org, freebsd-current@freebsd.org, kris@obsecurity.org, Alexander Leidinger <Alexander@leidinger.net>
Subject:   Re: [ANN] unionfs patchset-13 release
Message-ID:  <20060601133410.M37536@fledge.watson.org>
In-Reply-To: <2ad73a0605311125h7ac8a927t33bbfadf9fe18c33@mail.gmail.com>
References:  <E1F5gbI-000Eea-B7@cs1.cs.huji.ac.il> <43E73330.8070101@freebsd.org> <43EB4C00.2030101@freebsd.org> <4417DD8D.3050201@freebsd.org> <4433CA53.5050000@freebsd.org> <444E13BA.8050902@freebsd.org> <4475C119.1020305@freebsd.org> <447C919B.20303@freebsd.org> <86bqteikj4.fsf@xps.des.no> <20060531133814.acykloyqhkcccg80@netchild.homeip.net> <2ad73a0605311125h7ac8a927t33bbfadf9fe18c33@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

--0-683816645-1149165430=:37536
Content-Type: TEXT/PLAIN; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: QUOTED-PRINTABLE


On Wed, 31 May 2006, Andr=E9 Braga wrote:

> A post scriptum to the original message:
>
> The buggy behaviour won't affect the host system, but the jail could well=
 be=20
> compromised. I also have this feeling that ACLs also aren't respected ins=
ide=20
> jails or can be overwritten as easily as shown below

By "ACLs also aren't respected inside jails", do you mean, "ACLs don't work=
 in=20
jail", or do you mean, "ACLs don't work with unionfs"?  They are believed=
=20
firmly to work with jail, and if you have evidence to the contrary, a PR=20
pointer would be greatly appreciated so it can be investigated.

I don't know much about the behavior of unionfs, but if VOP_ACCESS is passe=
d=20
down properly through the stack, then ACLs should be implemented.  There mi=
ght=20
be problems if two file systems are stacked and have different access contr=
ol=20
models.  I don't know enough about unionfs to reason about how it does beha=
ve,=20
or should behave.  Unionfs seems to violate the notion of POLA, so I'm not=
=20
sure how much POLA will help :-).

Robert N M Watson

>
> Thanks,
> Andr=E9
>
> ---------------------- 8< ----------------------
>
> Hi,
>
> Once again, thank you for your patch.
>
> I believe I have found a bug:
>
> If a file or directory has non-default flags and this directory is
> mounted below a target point, the resulting union will not preserve
> the directory flags. Worse, it will appear as if the file flags are
> preserved, but they are not and as soon as a file that should not be
> modified gets modified, the flags are reset to the default state on
> the union mount. This could pose a *serious* security breach for
> people running jails rooted on unionfs mounts, like I intended to.
>
> Test case:
> (discrepancies are marked by a line containing "**** NOTICE" and
> aligned to fixed-length font display)
>
> # cd /tmp
> # mkdir -p test/a test/b/bb test/b/cc
> # touch test/b/cc/dd
> # chflags schg test/b/bb/
> # chflags uappnd test/b/cc/dd
> # ls -Rlo
> total 2
> drwxr-xr-x  4 root  wheel  - 512 Apr 29 08:12 test
>
> ./test:
> total 4
> drwxr-xr-x  2 root  wheel  - 512 Apr 29 08:12 a
> drwxr-xr-x  4 root  wheel  - 512 Apr 29 08:12 b
>
> ./test/a:
> total 0
>
> ./test/b:
> total 4
> drwxr-xr-x  2 root  wheel  schg 512 Apr 29 08:12 bb
> **** NOTICE 1a             ^^^^    ****
> drwxr-xr-x  2 root  wheel  -    512 Apr 29 08:12 cc
>
> ./test/b/bb:
> total 0
>
> ./test/b/cc:
> total 0
> -rw-r--r--  1 root  wheel  uappnd 0 Apr 29 08:12 dd
> **** NOTICE 2a             ^^^^^^    ****
> # echo ee >test/b/cc/dd
> test/b/cc/dd: Operation not permitted.
> # echo ee >> test/b/cc/dd
> **** NOTICE: this is the intended behavior for the 'uappnd' flag ****
> # cat test/b/cc/dd
> ee
> #
> # mount_unionfs -c transparent -b test/b test/a
> # ls -Rlo
> total 2
> drwxr-xr-x  4 root  wheel  - 512 Apr 29 08:12 test
>
> ./test:
> total 4
> drwxr-xr-x  2 root  wheel  - 512 Apr 29 08:12 a
> drwxr-xr-x  4 root  wheel  - 512 Apr 29 08:12 b
>
> ./test/a:
> total 4
> drwxr-xr-x  2 root  wheel  - 512 Apr 29 08:12 bb
> **** NOTICE 1b            ^^^    ****
> drwxr-xr-x  2 root  wheel  - 512 Apr 29 08:12 cc
>
> ./test/a/bb:
> total 0
>
> ./test/a/cc:
> total 2
> -rw-r--r--  1 root  wheel  uappnd 3 Apr 29 08:15 dd
> **** NOTICE 2b (LOOKS OK)  ^^^^^^    ****
> ./test/b:
> total 4
> drwxr-xr-x  2 root  wheel  schg 512 Apr 29 08:12 bb
> drwxr-xr-x  2 root  wheel  -    512 Apr 29 08:12 cc
>
> ./test/b/bb:
> total 0
>
> ./test/b/cc:
> total 2
> -rw-r--r--  1 root  wheel  uappnd 3 Apr 29 08:15 dd
> # echo ff > test/a/cc/dd
> # cat test/a/cc/dd
> ff
> **** NOTICE: very wrong behavior for the 'uappnd' flag! ****
> # ls -lo test/a/cc/dd
> -rw-r--r--  1 root  wheel  - 3 Apr 29 08:20 test/a/cc/dd
> **** NOTICE 2c (NO FLAG!) ^^^    ****
> # echo gg >test/b/cc/hh
> # chflags schg test/b/cc/hh
> # rm test/b/cc/hh
> override rw-r--r--  root/wheel schg for test/b/cc/hh? yes
> rm: test/b/cc/hh: Operation not permitted
> **** NOTICE 3a    ^^^^^^^^^^^^^^^^^^^^^^^  ****
> # ls -lo test/a/cc/hh
> -rw-r--r--  1 root  wheel  schg 3 Apr 29 08:24 test/a/cc/hh
> **** NOTICE 3b             ^^^^    ****
> # rm test/a/cc/hh
> override rw-r--r--  root/wheel schg for test/a/cc/hh? yes
> **** NOTICE 3c (NO ERROR!)  ****
> # ls -lo test/a/cc/
> total 2
> -rw-r--r--  1 root  wheel  - 3 Apr 29 08:20 dd
> **** NOTICE 3d (the file is gone despite immutable flags seemingly set!)=
=20
> ****
>
> End of test case
>
> It makes no difference to specify '-c tradicional'.
>
> I skimmed over the patch code and have noticed no file flags or
> director[y flags] are indeed [ever] copied to the shadow files.
> [Edit: spelling]
>
> I'd really appreciate if you could fix that for the patch version 12.
>
> Thank you very much!
> Andr=E9
> _______________________________________________
> freebsd-current@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org=
"
>
--0-683816645-1149165430=:37536--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060601133410.M37536>