Date: Mon, 8 Nov 2004 02:50:07 +0200 From: Giorgos Keramidas <keramida@freebsd.org> To: freebsd-rc@freebsd.org Subject: RFC (fwd) Re: 5.3 tmpfs mount permissions Message-ID: <20041108005007.GB57736@gothmog.gr>
next in thread | raw e-mail | index | archive | help
Hi,
Does the change outlined below seem like something I should commit?
The most important part is the change in the mount_md function of
rc.subr IMHO. If that's ok, then the rest is pretty straight-forward.
----- Forwarded message from "J.D. Bronson" <jbronson@wixb.com> -----
Date: Sun, 07 Nov 2004 18:38:29 -0600
From: "J.D. Bronson" <jbronson@wixb.com>
Subject: Re: 5.3 tmpfs mount permissions
To: Giorgos Keramidas <keramida@freebsd.org>
Cc: freebsd-questions@freebsd.org
At 06:06 PM 11/07/2004, Giorgos Keramidas wrote:
>On 2004-11-07 14:52, "J.D. Bronson" <jbronson@wixb.com> wrote:
>> I setup /etc/rc.conf as follows:
>>
>> tmpmfs="YES"
>> tmpsize="512m"
>>
>> and it works - but I want to mount tmp with some additional
>> options and wondering how to edit /etc/rc.d/tmp to accommodate this?
>>
>> I would like to add this: noexec,nosuid,nodev,nosymfollow
>> when /tmp is mounted as tmpfs.
>
>I see no way to pass extra options to mdmfs from `/etc/rc.d/tmp'. One
>way to do this is to modify /etc/rc.d/tmp locally, but this will create
>maintenance work for every mergemaster run you do in the future.
>
>> Can anyone offer some advice - thanks :)
>
>The following patch is against CURRENT. Does this look like a good thing to
>you? If it does, we could ask our rc.d gurus for their approval to commit
>it
>to the tree.
>
>Then, all you'd have to do to pass special options to the tmpmfs mount would
>be to add something like this to your `rc.conf':
>
> tmpoptions="noexec,nosuid,nodev,nosymfollow"
>
>----- tmpmfs-options.patch begins here -----
>Index: etc/rc.subr
>===================================================================
>RCS file: /home/ncvs/src/etc/rc.subr,v
>retrieving revision 1.31
>diff -u -r1.31 rc.subr
>--- etc/rc.subr 30 Jul 2004 17:19:35 -0000 1.31
>+++ etc/rc.subr 7 Nov 2004 23:55:27 -0000
>@@ -1290,11 +1290,15 @@
> # $1 = size
> # $2 = mount point
> # $3 = (optional) bytes-per-inode
>+# $4 = extra options
> mount_md() {
>+ if [ -n "$4" ]; then
>+ opt="-o $4"
>+ fi
> if [ -n "$3" ]; then
> bpi="-i $3"
> fi
>- /sbin/mdmfs $bpi -s $1 -M md $2
>+ /sbin/mdmfs $bpi $opt -s $1 -M md $2
> }
>
> fi
>Index: etc/defaults/rc.conf
>===================================================================
>RCS file: /home/ncvs/src/etc/defaults/rc.conf,v
>retrieving revision 1.229
>diff -u -r1.229 rc.conf
>--- etc/defaults/rc.conf 4 Nov 2004 13:33:29 -0000 1.229
>+++ etc/defaults/rc.conf 7 Nov 2004 23:57:34 -0000
>@@ -40,6 +40,7 @@
> removable_interfaces="" # Removable network interfaces for /etc/pccard_ether.
> tmpmfs="AUTO" # Set to YES to always create an mfs /tmp, NO to never
> tmpsize="20m" # Size of mfs /tmp if created
>+tmpoptions="noexec,nosuid,nodev" # extra mount options for tmpfs
> varmfs="AUTO" # Set to YES to always create an mfs /var, NO to never
> varsize="32m" # Size of mfs /var if created
> populate_var="AUTO" # Set to YES to always (re)populate /var, NO to never
>Index: etc/rc.d/tmp
>===================================================================
>RCS file: /home/ncvs/src/etc/rc.d/tmp,v
>retrieving revision 1.34
>diff -u -r1.34 tmp
>--- etc/rc.d/tmp 7 Oct 2004 13:55:26 -0000 1.34
>+++ etc/rc.d/tmp 7 Nov 2004 23:56:31 -0000
>@@ -56,7 +56,7 @@
> echo "dropping into shell, ^D to continue anyway."
> /bin/sh
> else
>- mount_md ${tmpsize} /tmp
>+ mount_md ${tmpsize} /tmp ${tmpoptions}
> chmod 01777 /tmp
> fi
> fi
>Index: share/man/man5/rc.conf.5
>===================================================================
>RCS file: /home/ncvs/src/share/man/man5/rc.conf.5,v
>retrieving revision 1.235
>diff -u -r1.235 rc.conf.5
>--- share/man/man5/rc.conf.5 4 Nov 2004 13:33:29 -0000 1.235
>+++ share/man/man5/rc.conf.5 8 Nov 2004 00:00:13 -0000
>@@ -240,6 +240,12 @@
> Controls the size of a created
> .Pa /tmp
> memory file system.
>+.It Va tmpoptions
>+Controls the
>+.Xr mount 8
>+options of a created
>+.Pa /tmp
>+memory file system.
> .It Va varmfs
> Controls the creation of a
> .Pa /var
>@@ -3109,6 +3115,7 @@
> .Xr kldxref 8 ,
> .Xr lpd 8 ,
> .Xr mdconfig 8 ,
>+.Xr mount 8 ,
> .Xr mountd 8 ,
> .Xr moused 8 ,
> .Xr mrouted 8 ,
>----- tmpmfs-options.patch ends here -----
this looks GREAT. I think for security in mind, this would be a welcome
addition to the FreeBSD OS - no ??
Thanks....I really appreciate this!
--
J.D. Bronson
Aurora Health Care // Information Services // Milwaukee, WI USA
Office: 414.978.8282 // Email: jd@aurora.org // Pager: 414.314.8282
----- End forwarded message -----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041108005007.GB57736>