From owner-freebsd-arch@freebsd.org  Fri May 15 05:10:46 2020
Return-Path: <owner-freebsd-arch@freebsd.org>
Delivered-To: freebsd-arch@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id A96AF2EA2B2;
 Fri, 15 May 2020 05:10:46 +0000 (UTC)
 (envelope-from kevans@freebsd.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "smtp.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 49Nc1f3s2Sz4Mch;
 Fri, 15 May 2020 05:10:46 +0000 (UTC)
 (envelope-from kevans@freebsd.org)
Received: from mail-qk1-f178.google.com (mail-qk1-f178.google.com
 [209.85.222.178])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 (Authenticated sender: kevans)
 by smtp.freebsd.org (Postfix) with ESMTPSA id 7267D15081;
 Fri, 15 May 2020 05:10:46 +0000 (UTC)
 (envelope-from kevans@freebsd.org)
Received: by mail-qk1-f178.google.com with SMTP id n14so1356505qke.8;
 Thu, 14 May 2020 22:10:46 -0700 (PDT)
X-Gm-Message-State: AOAM5330gz+2qtY2QcG8BIQCVcafJhyb9fbxOltEXeiVeFziQBbnCLTC
 oi1UOC5o6S/1kkvXlUDh6Dcmjx/+7TQVSHGzgC0=
X-Google-Smtp-Source: ABdhPJwEHWGNVqdxTqk+9EMmeY/wUZXSzJq9hkYFicsfGqLgP8PnKIIAvYac7WuBarCS4TKGJo5w8xOK3B9YkwqeQ7A=
X-Received: by 2002:a37:8c4:: with SMTP id 187mr1770425qki.34.1589519446067;
 Thu, 14 May 2020 22:10:46 -0700 (PDT)
MIME-Version: 1.0
References: <CACNAnaFszg+QWPRS0kghsnQMxXc+5niPTTNiUPSmK60YyBGCzA@mail.gmail.com>
 <202005142017.04EKH0aA093503@fire.js.berklix.net>
 <CAOtMX2i2Z-KX=3rYR2nZ1g1Lb_tF==H3xPKcQMBxJs1Kqr-meQ@mail.gmail.com>
 <33549.1589488226@critter.freebsd.dk>
In-Reply-To: <33549.1589488226@critter.freebsd.dk>
From: Kyle Evans <kevans@freebsd.org>
Date: Fri, 15 May 2020 00:10:35 -0500
X-Gmail-Original-Message-ID: <CACNAnaFDHMkConkBLY-2BMAudueDA8-HTJ5_FNpt4WrB=gg_HA@mail.gmail.com>
Message-ID: <CACNAnaFDHMkConkBLY-2BMAudueDA8-HTJ5_FNpt4WrB=gg_HA@mail.gmail.com>
Subject: Re: [HEADSUP] Disallowing read() of a directory fd
To: Poul-Henning Kamp <phk@phk.freebsd.dk>
Cc: Alan Somers <asomers@freebsd.org>, "Julian H. Stacey" <jhs@berklix.com>, 
 "freebsd-arch@freebsd.org" <freebsd-arch@freebsd.org>, 
 "freebsd-hackers@freebsd.org" <hackers@freebsd.org>
Content-Type: text/plain; charset="UTF-8"
X-BeenThere: freebsd-arch@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: Discussion related to FreeBSD architecture <freebsd-arch.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-arch>,
 <mailto:freebsd-arch-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-arch/>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Help: <mailto:freebsd-arch-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
 <mailto:freebsd-arch-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 15 May 2020 05:10:46 -0000

On Thu, May 14, 2020 at 3:30 PM Poul-Henning Kamp <phk@phk.freebsd.dk> wrote:
>
> --------
> In message <CAOtMX2i2Z-KX=3rYR2nZ1g1Lb_tF==H3xPKcQMBxJs1Kqr-meQ@mail.gmail.com>
> , Alan Somers writes:
>
> >Really?  When is that occasionally useful?  I've never seen anything useful
> >come out of reading a directory.
>
> Two things I have done over the years:
>
> Figure out which filenames prevent a enormous but sparse directory
> from being compacted.
>
> Figure out which control characters were in a filename.
>

Can we explore the possibility of using fsdb(8) to fulfill these needs
in a way that you'd be comfortable with? I am thoroughly motivated and
willing to do what I can to find a good path forward. We could add a
sysctl and remove the functionality from other filesystems that aren't
necessarily providing useful information and likely haven't been
audited for similar disclosures to
https://www.freebsd.org/security/advisories/FreeBSD-SA-19:10.ufs.asc
that may be exacerbated by read(2) on a dirfd, but I'd like to see if
there's any compromise that we can make where the compromise on my
side is that I have to put in the effort to otherwise enable presented
valid use-cases in an agreeable manner.

Is there anything that I, as a developer that knows very little about
UFS and even less when compared to someone such as yourself, can do to
facilitate making this as easy as possible with the tooling otherwise
available?

Looking at fsdb(8) briefly on this UFS partition I just spun up, it
seems as a somewhat low-hanging fruit that we could (in some/many
cases) infer a disk device from a standard directory/file path and
prompt for confirmation based on that, opening up to the proper inode,
even, as an example (wording would differ, and apologies for the
formatting):

root@shiva:/mnt# stat etc
682 12928 drwxr-xr-x 2 root wheel 26456 512 "May 14 23:58:27 2020"
"May 14 23:58:27 2020" "May 14 23:58:27 2020" "May 14 23:58:27 2020"
32768 8 0 etc

root@shiva:/mnt# fsdb etc
etc is not a disk device, but is mounted from /dev/md1. Use /dev/md1? [yn] y
** /dev/md1 (NO WRITE)
Editing file system `/dev/md1'
Last Mounted on /mnt
current inode: directory
I=12928 MODE=40755 SIZE=512
BTIME=May 14 23:58:27 2020 [611088000 nsec]
MTIME=May 14 23:58:27 2020 [614391000 nsec]
CTIME=May 14 23:58:27 2020 [614391000 nsec]
ATIME=May 14 23:58:27 2020 [614391000 nsec]
OWNER=root GRP=wheel LINKCNT=2 FLAGS=0 BLKCNT=8 GEN=a15cce24

fsdb (inum: 12928)> ls
slot 0 off 0 ino 12928 reclen 12: directory, `.'
slot 1 off 12 ino 2 reclen 500: directory, `..'

fsdb (inum: 12928)>

Thanks,

Kyle Evans