Date: Sun, 25 Jul 1999 12:07:42 +0930 (CST) From: Mark Newton <newton@internode.com.au> To: rminnich@acl.lanl.gov (Ronald G. Minnich) Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: Filesystem question... Message-ID: <199907250237.MAA21069@gizmo.internode.com.au> In-Reply-To: <Pine.SGI.4.10.9907230913240.181885-100000@acl.lanl.gov> from "Ronald G. Minnich" at Jul 23, 99 09:30:54 am
next in thread | previous in thread | raw e-mail | index | archive | help
Ronald G. Minnich wrote: > On Fri, 23 Jul 1999, Kris Kennaway wrote: > > On Thu, 22 Jul 1999, Ronald G. Minnich wrote: > > > Are you saying that as an ordinary user I can mount something on top of > > > /tmp, for example? > > If the vfs.usermount sysctl is 1, and you have appropriate access to the > > thing you're trying to mount (block device, etc). > > OK, so let's say it is 1. Let's say I have "appropriate access" to /tmp. I > mount my own fs on /tmp. I now have read/write access to everything anyone > writes to /tmp. "Appropriate access" includes the idea that you need to own the mountpoint directory. If you have a system that's so badly run that arbitrary users own /tmp, then I'd say user mounts are the least of your problems :-) > Or, let's say I don't have "appropriate access" to /tmp. Pick some other > place. I mount my file system there for my files. Now everyone who wants > can look for these user mounts and walk them at will. My private stuff is > quite public. Correct (unless you want your private stuff to be private, and chmod your mountpoint's parent directory accordingly). > But thanks for the note. I just now realized that if I add a private name > space to v9fs (which is easy), and then turn on user mounts, user > processes can have private name spaces on freebsd! I can't wait to see the security problems that causes when setuid executables assume that they only need to be worrying about one filesystem namespace. :-) - mark ---- Mark Newton Email: newton@internode.com.au (W) Network Engineer Email: newton@atdot.dotat.org (H) Internode Systems Pty Ltd Desk: +61-8-82232999 "Network Man" - Anagram of "Mark Newton" Mobile: +61-416-202-223 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199907250237.MAA21069>