From owner-freebsd-current@freebsd.org  Thu Sep 10 16:58:09 2020
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 825AC3DE081
 for <freebsd-current@mailman.nyi.freebsd.org>;
 Thu, 10 Sep 2020 16:58:09 +0000 (UTC)
 (envelope-from shawn.webb@hardenedbsd.org)
Received: from mail-qk1-x732.google.com (mail-qk1-x732.google.com
 [IPv6:2607:f8b0:4864:20::732])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4BnQ7N5Yydz4KKB
 for <freebsd-current@freebsd.org>; Thu, 10 Sep 2020 16:58:08 +0000 (UTC)
 (envelope-from shawn.webb@hardenedbsd.org)
Received: by mail-qk1-x732.google.com with SMTP id w16so6778106qkj.7
 for <freebsd-current@freebsd.org>; Thu, 10 Sep 2020 09:58:08 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:date:from:to:cc:subject:message-id:references
 :mime-version:content-disposition:in-reply-to;
 bh=k81MQn3ijQAXalpfdpRxhQ6prGXQb0Elj7rn+Ia3fPo=;
 b=at37BBxCkovGUG9s6IhKxLUWI/ISL23oYQZ8xH8W8mLtj6Sbd6wfOfPuu9KztMFrVM
 d+bT/wa/XFIoWf5H28R7KCHlsIJHaUtcfQokfz4AgS0WaVJzSzYGyU80Z5c1KM1JNecH
 3k1C7y16f9JKXycDqn3iWxyEPDnenDUhxNoTl1AWgVZzPwFzRSdqeK4QUhfgxCPPIyXc
 7c/iSR/hbrHuOB+0CBcFR2+ErVxA948ZHJ712B5kmttRlCEPAZpK9KWuqF40YO8zrwnr
 8ojo5LU/vUXYwskGb6afuKuBoSa/cPqFK42H0GzG1jFiPaGU/NOsCYuFQYRzoKisXTw+
 tC1A==
X-Gm-Message-State: AOAM5300i53xD84vmIJSDQYX5WCd/YAFEIXN5Ju0v4WO6FyywjthU2jT
 0nQjinkjXUDATvuXCNaAQXpggg==
X-Google-Smtp-Source: ABdhPJwjZWePRqaVOj0ESYZDjHr3AiA6L7HJ5+sO+MwgvCItUgI+Ej74uwyAIP+h/KnNsJDy0f8c5A==
X-Received: by 2002:a37:48c7:: with SMTP id v190mr8448115qka.153.1599757087680; 
 Thu, 10 Sep 2020 09:58:07 -0700 (PDT)
Received: from mutt-hbsd (75-148-2-186-WashingtonDC.hfc.comcastbusiness.net.
 [75.148.2.186])
 by smtp.gmail.com with ESMTPSA id e10sm7461621qtq.59.2020.09.10.09.58.05
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 10 Sep 2020 09:58:06 -0700 (PDT)
Date: Thu, 10 Sep 2020 12:58:03 -0400
From: Shawn Webb <shawn.webb@hardenedbsd.org>
To: Ryan Moeller <freqlabs@FreeBSD.org>
Cc: freebsd-current@freebsd.org
Subject: Re: `zfs list` permission denied
Message-ID: <20200910165803.o2qcuxct7yyh42z4@mutt-hbsd>
X-Operating-System: FreeBSD mutt-hbsd 13.0-CURRENT-HBSD FreeBSD
 13.0-CURRENT-HBSD 
X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0xFF2E67A277F8E1FA
References: <20200910163333.erxycebv23gkqbkb@mutt-hbsd>
 <6403ab4c-47b2-5bd9-9187-d9c549ef2220@FreeBSD.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="w7jcp4jrs2bc6acc"
Content-Disposition: inline
In-Reply-To: <6403ab4c-47b2-5bd9-9187-d9c549ef2220@FreeBSD.org>
X-Rspamd-Queue-Id: 4BnQ7N5Yydz4KKB
X-Spamd-Bar: ----
X-Spamd-Result: default: False [-4.11 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[];
 ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[hardenedbsd.org:s=google];
 NEURAL_HAM_MEDIUM(-0.98)[-0.977]; FROM_HAS_DN(0.00)[];
 TO_DN_SOME(0.00)[];
 R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36];
 NEURAL_HAM_LONG(-0.98)[-0.979];
 MIME_GOOD(-0.20)[multipart/signed,text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-current@freebsd.org];
 DMARC_NA(0.00)[hardenedbsd.org]; RCVD_COUNT_THREE(0.00)[3];
 TO_MATCH_ENVRCPT_SOME(0.00)[];
 DKIM_TRACE(0.00)[hardenedbsd.org:+]; RCPT_COUNT_TWO(0.00)[2];
 RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::732:from];
 NEURAL_HAM_SHORT(-0.06)[-0.059]; SIGNED_PGP(-2.00)[];
 FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~];
 MID_RHS_NOT_FQDN(0.50)[];
 ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
 RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-current]
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Sep 2020 16:58:09 -0000


--w7jcp4jrs2bc6acc
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Sep 10, 2020 at 12:46:45PM -0400, Ryan Moeller wrote:
>=20
> On 9/10/20 12:33 PM, Shawn Webb wrote:
> > I used to be able to run `zfs list` as an unprivileged user. Now I
> > can't, even when my user is in the operator group.
> >=20
> > =3D=3D=3D=3D BEGIN LOG =3D=3D=3D=3D
> > hbsd-current-01[shawn]:/home/shawn $ zfs list
> > Operation not permitted
> > hbsd-current-01[shawn]:/home/shawn (1) $ id
> > uid=3D1001(shawn) gid=3D1001(shawn) groups=3D1001(shawn),0(wheel),5(ope=
rator)
> > hbsd-current-01[shawn]:/home/shawn $ ls -l /dev/zfs
> > crw-rw-rw-  1 root  operator  0x52 Sep 10 10:43 /dev/zfs
> > =3D=3D=3D=3D END LOG =3D=3D=3D=3D
> >=20
> > Thanks,
> >=20
> You probably don't have the zfs module loaded. The commands will try to l=
oad
> it if it isn't, and that will fail if you aren't root.

Using root on ZFS:

=3D=3D=3D=3D BEGIN LOG =3D=3D=3D=3D
hbsd-current-01[shawn]:/scratch/logs (141) $ sudo kldstat
Password:
Id Refs Address                Size Name
 1   15                0x0  2343700 kernel
 2    1                0x0   652cb0 zfs.ko
 3    1                0x0     b778 opensolaris.ko
 4    1                0x0     2a10 mac_ntpd.ko
=3D=3D=3D=3D END LOG =3D=3D=3D=3D

I think I see the problem with your hint. Prior to the post-ZoL
OpenZFS merge, we had detected whether the user running the command
was non-root and only attempted module load if the user was root. We
do this because we restrict access to kld*/mod* syscalls to root. And,
as you can see from the output above, we scrub sensitive data from
being returned from the kldstat syscall.

I think I just need to re-apply that logic after this OpenZFS merge.
Thanks for the hint! Sometimes I forget having written code from years
back. ;)

Thanks,

--=20
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

GPG Key ID:          0xFF2E67A277F8E1FA
GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9  3633 C85B 0AF8 AB23 0FB2
https://git-01.md.hardenedbsd.org/HardenedBSD/pubkeys/src/branch/master/Sha=
wn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc

--w7jcp4jrs2bc6acc
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAl9aWxgACgkQ/y5nonf4
4frfJBAAnXpQNDP45Mrn3IoZ9JKTO2wMs0nyl9kA5R/JA8BkTARRTEC2mJrS+430
5VkMMzlkbbIFpZDC/V352T2X/eKHZ5r/nzxjivU15kHaPWMhvaZS2QACLE+CFo8c
vmuOzWu+ciGnYcYxkdedeR+gU4IvWbtQI1JUd6KznOHkUF3CAEcfOJF91X0XG8Qi
dwPWRHnIDQjiGucLDmIwRhLzSn6n97ucoaN04ELl/KS+vVUYoRWwtpeBj8dFCltF
wnVlMSmXh7xq8cVexCLHVQLYVrKGx1bNEm3GB6BMtclhJnqhCO6wBXn8KOnie/Be
PAlHB5eQ7Mi5VuckkWJo8gAA8VNlLFQaH9F9KoIfsy5nwBNjRKJZeN9Dp21QhVDY
0KbXeXeGPI5GO7q2wlGSYaV8OKle7srQGw7/ocl9It4AueEq7+W6fLwt5I2j3CBY
B4t4RaSwD0RXYkKqPZbWEAcBezaDpjUjLs2PekrpVssDsqXN71MwV++NqMyZ6khK
aCrwSVKSULF2e9WlzDjwHIzdmb+NSXWfxeHdBwK6VdgKt7K9RLB2EP/IW3reCY07
8OYry0ZUYmYbS/bcdR07o0oF24axw15tougMMmnXPyc9xQ8z9b++wmrp4nzYg90c
iYHoJTIV6cy7ZY+1nVBRjEULsex0JgKhGo/rZxGYg0u3drXir2o=
=9lEJ
-----END PGP SIGNATURE-----

--w7jcp4jrs2bc6acc--