Date: Thu, 10 Sep 2020 12:58:03 -0400 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: Ryan Moeller <freqlabs@FreeBSD.org> Cc: freebsd-current@freebsd.org Subject: Re: `zfs list` permission denied Message-ID: <20200910165803.o2qcuxct7yyh42z4@mutt-hbsd> In-Reply-To: <6403ab4c-47b2-5bd9-9187-d9c549ef2220@FreeBSD.org> References: <20200910163333.erxycebv23gkqbkb@mutt-hbsd> <6403ab4c-47b2-5bd9-9187-d9c549ef2220@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--w7jcp4jrs2bc6acc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Sep 10, 2020 at 12:46:45PM -0400, Ryan Moeller wrote: >=20 > On 9/10/20 12:33 PM, Shawn Webb wrote: > > I used to be able to run `zfs list` as an unprivileged user. Now I > > can't, even when my user is in the operator group. > >=20 > > =3D=3D=3D=3D BEGIN LOG =3D=3D=3D=3D > > hbsd-current-01[shawn]:/home/shawn $ zfs list > > Operation not permitted > > hbsd-current-01[shawn]:/home/shawn (1) $ id > > uid=3D1001(shawn) gid=3D1001(shawn) groups=3D1001(shawn),0(wheel),5(ope= rator) > > hbsd-current-01[shawn]:/home/shawn $ ls -l /dev/zfs > > crw-rw-rw- 1 root operator 0x52 Sep 10 10:43 /dev/zfs > > =3D=3D=3D=3D END LOG =3D=3D=3D=3D > >=20 > > Thanks, > >=20 > You probably don't have the zfs module loaded. The commands will try to l= oad > it if it isn't, and that will fail if you aren't root. Using root on ZFS: =3D=3D=3D=3D BEGIN LOG =3D=3D=3D=3D hbsd-current-01[shawn]:/scratch/logs (141) $ sudo kldstat Password: Id Refs Address Size Name 1 15 0x0 2343700 kernel 2 1 0x0 652cb0 zfs.ko 3 1 0x0 b778 opensolaris.ko 4 1 0x0 2a10 mac_ntpd.ko =3D=3D=3D=3D END LOG =3D=3D=3D=3D I think I see the problem with your hint. Prior to the post-ZoL OpenZFS merge, we had detected whether the user running the command was non-root and only attempted module load if the user was root. We do this because we restrict access to kld*/mod* syscalls to root. And, as you can see from the output above, we scrub sensitive data from being returned from the kldstat syscall. I think I just need to re-apply that logic after this OpenZFS merge. Thanks for the hint! Sometimes I forget having written code from years back. ;) Thanks, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD GPG Key ID: 0xFF2E67A277F8E1FA GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2 https://git-01.md.hardenedbsd.org/HardenedBSD/pubkeys/src/branch/master/Sha= wn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --w7jcp4jrs2bc6acc Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAl9aWxgACgkQ/y5nonf4 4frfJBAAnXpQNDP45Mrn3IoZ9JKTO2wMs0nyl9kA5R/JA8BkTARRTEC2mJrS+430 5VkMMzlkbbIFpZDC/V352T2X/eKHZ5r/nzxjivU15kHaPWMhvaZS2QACLE+CFo8c vmuOzWu+ciGnYcYxkdedeR+gU4IvWbtQI1JUd6KznOHkUF3CAEcfOJF91X0XG8Qi dwPWRHnIDQjiGucLDmIwRhLzSn6n97ucoaN04ELl/KS+vVUYoRWwtpeBj8dFCltF wnVlMSmXh7xq8cVexCLHVQLYVrKGx1bNEm3GB6BMtclhJnqhCO6wBXn8KOnie/Be PAlHB5eQ7Mi5VuckkWJo8gAA8VNlLFQaH9F9KoIfsy5nwBNjRKJZeN9Dp21QhVDY 0KbXeXeGPI5GO7q2wlGSYaV8OKle7srQGw7/ocl9It4AueEq7+W6fLwt5I2j3CBY B4t4RaSwD0RXYkKqPZbWEAcBezaDpjUjLs2PekrpVssDsqXN71MwV++NqMyZ6khK aCrwSVKSULF2e9WlzDjwHIzdmb+NSXWfxeHdBwK6VdgKt7K9RLB2EP/IW3reCY07 8OYry0ZUYmYbS/bcdR07o0oF24axw15tougMMmnXPyc9xQ8z9b++wmrp4nzYg90c iYHoJTIV6cy7ZY+1nVBRjEULsex0JgKhGo/rZxGYg0u3drXir2o= =9lEJ -----END PGP SIGNATURE----- --w7jcp4jrs2bc6acc--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200910165803.o2qcuxct7yyh42z4>