From owner-freebsd-fs Sun Oct 26 03:24:04 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id DAA00192 for fs-outgoing; Sun, 26 Oct 1997 03:24:04 -0800 (PST) (envelope-from owner-freebsd-fs) Received: from mail.cs.tu-berlin.de (root@mail.cs.tu-berlin.de [130.149.17.13]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id DAA00187 for ; Sun, 26 Oct 1997 03:24:01 -0800 (PST) (envelope-from wosch@cs.tu-berlin.de) Received: from panke.panke.de (anonymous234.ppp.cs.tu-berlin.de [130.149.17.234]) by mail.cs.tu-berlin.de (8.8.6/8.8.7) with ESMTP id MAA29211 for ; Sun, 26 Oct 1997 12:20:36 +0100 (MET) Received: (from wosch@localhost) by panke.panke.de (8.8.5/8.6.12) id LAA00556; Sun, 26 Oct 1997 11:41:56 +0100 (MET) Date: Sun, 26 Oct 1997 11:41:56 +0100 (MET) Message-Id: <199710261041.LAA00556@panke.panke.de> From: Wolfram Schneider To: freebsd-fs@freebsd.org Subject: disabled symlinks MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-fs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I want mount a file system without symlinks, e.g. mount -t mfs -o nodev,nosuid,nosymlink /dev/sd0b /tmp The nosymlink flag do not allow the creation of a symlink on the mounted file system. Here is a patch for the kernel and mount(8). # This is a shell archive. Save it in a file, remove anything before # this line, and then unpack it by entering "sh file". Note, it may # create directories; files and directories will be owned by you and # have default permissions. # # This archive contains: # # nosymlink-kernel.diff # nosymlink-user.diff # echo x - nosymlink-kernel.diff sed 's/^X//' >nosymlink-kernel.diff << 'END-of-nosymlink-kernel.diff' XIndex: kern/vfs_syscalls.c X=================================================================== XRCS file: /usr/cvs/src/sys/kern/vfs_syscalls.c,v Xretrieving revision 1.51.2.6 Xdiff -u -r1.51.2.6 vfs_syscalls.c X--- vfs_syscalls.c 1997/10/23 18:04:55 1.51.2.6 X+++ vfs_syscalls.c 1997/10/25 18:18:44 X@@ -183,9 +183,11 @@ X else if (mp->mnt_flag & MNT_RDONLY) X mp->mnt_flag |= MNT_WANTRDWR; X mp->mnt_flag &=~ (MNT_NOSUID | MNT_NOEXEC | MNT_NODEV | X- MNT_SYNCHRONOUS | MNT_UNION | MNT_ASYNC | MNT_NOATIME); X+ MNT_SYNCHRONOUS | MNT_UNION | MNT_ASYNC | MNT_NOATIME | X+ MNT_NOSYMLINK); X mp->mnt_flag |= uap->flags & (MNT_NOSUID | MNT_NOEXEC | MNT_NODEV | X- MNT_SYNCHRONOUS | MNT_UNION | MNT_ASYNC | MNT_FORCE | MNT_NOATIME); X+ MNT_SYNCHRONOUS | MNT_UNION | MNT_ASYNC | MNT_FORCE | MNT_NOATIME | X+ MNT_NOSYMLINK); X /* X * Mount the filesystem. X */ XIndex: sys/mount.h X=================================================================== XRCS file: /usr/cvs/src/sys/sys/mount.h,v Xretrieving revision 1.34.2.1 Xdiff -u -r1.34.2.1 mount.h X--- mount.h 1997/08/17 13:33:43 1.34.2.1 X+++ mount.h 1997/10/25 17:23:00 X@@ -161,6 +161,7 @@ X #define MNT_UNION 0x00000020 /* union with underlying filesystem */ X #define MNT_ASYNC 0x00000040 /* file system written asynchronously */ X #define MNT_NOATIME 0x10000000 /* Disable update of file access times */ X+#define MNT_NOSYMLINK 0x20000000 /* Disable symlinks */ X X /* X * exported mount flags. X@@ -185,7 +186,8 @@ X #define MNT_VISFLAGMASK (MNT_RDONLY|MNT_SYNCHRONOUS|MNT_NOEXEC|MNT_NOSUID| \ X MNT_NODEV|MNT_UNION|MNT_ASYNC|MNT_EXRDONLY|MNT_EXPORTED| \ X MNT_DEFEXPORTED|MNT_EXPORTANON|MNT_EXKERB|MNT_LOCAL| \ X- MNT_QUOTA|MNT_ROOTFS|MNT_USER|MNT_NOATIME) X+ MNT_QUOTA|MNT_ROOTFS|MNT_USER|MNT_NOATIME|\ X+ MNT_NOSYMLINK) X X /* X * filesystem control flags. XIndex: ufs/ufs/ufs_vnops.c X=================================================================== XRCS file: /usr/cvs/src/sys/ufs/ufs/ufs_vnops.c,v Xretrieving revision 1.41.2.3 Xdiff -u -r1.41.2.3 ufs_vnops.c X--- ufs_vnops.c 1997/06/29 08:48:50 1.41.2.3 X+++ ufs_vnops.c 1997/10/25 22:27:27 X@@ -1515,6 +1515,12 @@ X register struct inode *ip; X int len, error; X X+ /* do not create symlinks on this file system */ X+ if (ap->a_dvp->v_mount->mnt_flag & MNT_NOSYMLINK) { X+ vput(ap->a_dvp); X+ return ENOSYS; X+ } X+ X error = ufs_makeinode(IFLNK | ap->a_vap->va_mode, ap->a_dvp, X vpp, ap->a_cnp); X if (error) END-of-nosymlink-kernel.diff echo x - nosymlink-user.diff sed 's/^X//' >nosymlink-user.diff << 'END-of-nosymlink-user.diff' XIndex: mount/mntopts.h X=================================================================== XRCS file: /usr/cvs/src/sbin/mount/mntopts.h,v Xretrieving revision 1.7 Xdiff -u -r1.7 mntopts.h X--- mntopts.h 1996/09/03 07:13:55 1.7 X+++ mntopts.h 1997/10/20 15:55:25 X@@ -47,6 +47,7 @@ X #define MOPT_NODEV { "dev", 1, MNT_NODEV, 0 } X #define MOPT_NOEXEC { "exec", 1, MNT_NOEXEC, 0 } X #define MOPT_NOSUID { "suid", 1, MNT_NOSUID, 0 } X+#define MOPT_NOSYMLINK { "symlink", 1, MNT_NOSYMLINK, 0 } X #define MOPT_RDONLY { "rdonly", 0, MNT_RDONLY, 0 } X #define MOPT_SYNC { "sync", 0, MNT_SYNCHRONOUS, 0 } X #define MOPT_UNION { "union", 0, MNT_UNION, 0 } X@@ -75,6 +76,7 @@ X MOPT_NODEV, \ X MOPT_NOEXEC, \ X MOPT_NOSUID, \ X+ MOPT_NOSYMLINK, \ X MOPT_RDONLY, \ X MOPT_UNION X XIndex: mount/mount.8 X=================================================================== XRCS file: /usr/cvs/src/sbin/mount/mount.8,v Xretrieving revision 1.11.2.2 Xdiff -u -r1.11.2.2 mount.8 X--- mount.8 1997/08/24 17:52:01 1.11.2.2 X+++ mount.8 1997/10/25 22:41:36 X@@ -134,6 +134,10 @@ X wrapper like X .Xr suidperl X is installed on your system. X+.It nosymlink X+Do not allow the creation of a X+.Xr symlink 2 X+on the mounted file system. X .It rdonly X The same as X .Fl r ; XIndex: mount/mount.c X=================================================================== XRCS file: /usr/cvs/src/sbin/mount/mount.c,v Xretrieving revision 1.15 Xdiff -u -r1.15 mount.c X--- mount.c 1996/09/03 07:13:56 1.15 X+++ mount.c 1997/10/25 17:25:58 X@@ -92,6 +92,7 @@ X { MNT_NODEV, "nodev" }, X { MNT_NOEXEC, "noexec" }, X { MNT_NOSUID, "nosuid" }, X+ { MNT_NOSYMLINK, "nosymlink" }, X { MNT_QUOTA, "with quotas" }, X { MNT_RDONLY, "read-only" }, X { MNT_SYNCHRONOUS, "synchronous" }, X@@ -588,6 +589,9 @@ X X if (ent->f_flags & MNT_ASYNC) X printf (",async"); X+ X+ if (ent->f_flags & MNT_NOSYMLINK) X+ printf (",nosymlink"); X X if (fst = getfsspec (ent->f_mntfromname)) X printf ("\t%u %u\n", fst->fs_freq, fst->fs_passno); END-of-nosymlink-user.diff exit -- Wolfram Schneider http://www.apfel.de/~wosch/ From owner-freebsd-fs Sun Oct 26 12:42:38 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id MAA19580 for fs-outgoing; Sun, 26 Oct 1997 12:42:38 -0800 (PST) (envelope-from owner-freebsd-fs) Received: from sasami.jurai.net (winter@sasami.jurai.net [207.96.1.17]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id MAA19573 for ; Sun, 26 Oct 1997 12:42:35 -0800 (PST) (envelope-from winter@jurai.net) Received: from localhost (winter@localhost) by sasami.jurai.net (8.8.7/8.8.7) with SMTP id PAA01899; Sun, 26 Oct 1997 15:42:18 -0500 (EST) Date: Sun, 26 Oct 1997 15:42:18 -0500 (EST) From: "Matthew N. Dodd" To: Wolfram Schneider cc: freebsd-fs@FreeBSD.ORG Subject: Re: disabled symlinks In-Reply-To: <199710261041.LAA00556@panke.panke.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-fs@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Sun, 26 Oct 1997, Wolfram Schneider wrote: > I want mount a file system without symlinks, e.g. > > mount -t mfs -o nodev,nosuid,nosymlink /dev/sd0b /tmp > > The nosymlink flag do not allow the creation of a symlink > on the mounted file system. > > Here is a patch for the kernel and mount(8). Thats cool. A great number of the race condition exploits rely on the ability to create symlinks so this is a very useful patch. Any chance of it getting committed? /* Matthew N. Dodd | A memory retaining a love you had for life winter@jurai.net | As cruel as it seems nothing ever seems to http://www.jurai.net/~winter | go right - FLA M 3.1:53 */ From owner-freebsd-fs Sun Oct 26 15:28:13 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id PAA27141 for fs-outgoing; Sun, 26 Oct 1997 15:28:13 -0800 (PST) (envelope-from owner-freebsd-fs) Received: from mexico.brainstorm.eu.org (root@mexico.brainstorm.fr [193.56.58.253]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id PAA27125 for ; Sun, 26 Oct 1997 15:28:04 -0800 (PST) (envelope-from roberto@keltia.freenix.fr) Received: from brasil.brainstorm.eu.org (brasil.brainstorm.fr [193.56.58.33]) by mexico.brainstorm.eu.org (8.8.4/8.8.4) with ESMTP id AAA10356 for ; Mon, 27 Oct 1997 00:27:56 +0100 Received: (from uucp@localhost) by brasil.brainstorm.eu.org (8.8.6/brasil-1.2) with UUCP id AAA24618 for freebsd-fs@FreeBSD.ORG; Mon, 27 Oct 1997 00:27:32 +0100 Received: (from roberto@localhost) by keltia.freenix.fr (8.8.7/keltia-2.11/nospam) id AAA04653; Mon, 27 Oct 1997 00:11:41 +0100 (CET) (envelope-from roberto) Message-ID: <19971027001140.31561@keltia.freenix.fr> Date: Mon, 27 Oct 1997 00:11:40 +0100 From: Ollivier Robert To: freebsd-fs@FreeBSD.ORG Subject: Re: disabled symlinks References: <199710261041.LAA00556@panke.panke.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.84 In-Reply-To: <199710261041.LAA00556@panke.panke.de>; from Wolfram Schneider on Sun, Oct 26, 1997 at 11:41:56AM +0100 X-Operating-System: FreeBSD 3.0-CURRENT ctm#3745 AMD-K6 MMX @ 208 MHz Sender: owner-freebsd-fs@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk According to Wolfram Schneider: > The nosymlink flag do not allow the creation of a symlink > on the mounted file system. Could you please modify your patch not to _follow_ symlinks in order to disallow all symlinks in a given FS ? I think that mounting "nosymlinks" should mean "no symlinks whatsoever". -- Ollivier ROBERT -=- FreeBSD: There are no limits -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 3.0-CURRENT #41: Sat Oct 18 18:47:01 CEST 1997 From owner-freebsd-fs Sun Oct 26 23:53:00 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id XAA24202 for fs-outgoing; Sun, 26 Oct 1997 23:53:00 -0800 (PST) (envelope-from owner-freebsd-fs) Received: from gvr.gvr.org (root@gvr.gvr.org [194.151.74.97]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id XAA24193 for ; Sun, 26 Oct 1997 23:52:56 -0800 (PST) (envelope-from guido@gvr.org) Received: (from guido@localhost) by gvr.gvr.org (8.8.6/8.8.5) id IAA17352; Mon, 27 Oct 1997 08:52:41 +0100 (MET) From: Guido van Rooij Message-Id: <199710270752.IAA17352@gvr.gvr.org> Subject: Re: disabled symlinks In-Reply-To: <19971027001140.31561@keltia.freenix.fr> from Ollivier Robert at "Oct 27, 97 00:11:40 am" To: roberto@keltia.freenix.fr (Ollivier Robert) Date: Mon, 27 Oct 1997 08:52:41 +0100 (MET) Cc: freebsd-fs@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-fs@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Ollivier Robert wrote: > According to Wolfram Schneider: > > The nosymlink flag do not allow the creation of a symlink > > on the mounted file system. > > Could you please modify your patch not to _follow_ symlinks in order to > disallow all symlinks in a given FS ? > > I think that mounting "nosymlinks" should mean "no symlinks whatsoever". In fact, perhaps this is more what you want then to disallow creation. That would also be more in lie with nosuid. Creation of these files is okay, but the s{u,g}id bits are not honoured. -Guido From owner-freebsd-fs Mon Oct 27 03:29:38 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id DAA09674 for fs-outgoing; Mon, 27 Oct 1997 03:29:38 -0800 (PST) (envelope-from owner-freebsd-fs) Received: from gatekeeper.tsc.tdk.com (root@gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id DAA09669 for ; Mon, 27 Oct 1997 03:29:35 -0800 (PST) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.4/8.8.4) with ESMTP id DAA24749; Mon, 27 Oct 1997 03:28:14 -0800 (PST) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id DAA15345; Mon, 27 Oct 1997 03:28:12 -0800 (PST) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id DAA22591; Mon, 27 Oct 1997 03:28:11 -0800 (PST) From: Don Lewis Message-Id: <199710271128.DAA22591@salsa.gv.tsc.tdk.com> Date: Mon, 27 Oct 1997 03:28:11 -0800 In-Reply-To: Ollivier Robert "Re: disabled symlinks" (Oct 27, 12:11am) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Ollivier Robert , freebsd-fs@FreeBSD.ORG Subject: Re: disabled symlinks Sender: owner-freebsd-fs@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Oct 27, 12:11am, Ollivier Robert wrote: } Subject: Re: disabled symlinks } According to Wolfram Schneider: } > The nosymlink flag do not allow the creation of a symlink } > on the mounted file system. I'd prefer an option that only affected symlinks in certain directories (perhaps publicly writable directories). Symlinks in /tmp are a hazard, but symlinks in subdirectories of /tmp probably aren't. What if you want to unpack a tar archive containing symlinks in a subdirectory of /tmp? } Could you please modify your patch not to _follow_ symlinks in order to } disallow all symlinks in a given FS ? This is also reasonable, but what errno value is appropriate for syscalls that encounter the forbidden symlinks? From owner-freebsd-fs Mon Oct 27 05:28:44 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id FAA19718 for fs-outgoing; Mon, 27 Oct 1997 05:28:44 -0800 (PST) (envelope-from owner-freebsd-fs) Received: from mail.cs.tu-berlin.de (root@mail.cs.tu-berlin.de [130.149.17.13]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id FAA19703 for ; Mon, 27 Oct 1997 05:28:39 -0800 (PST) (envelope-from wosch@cs.tu-berlin.de) Received: from panke.panke.de (anonymous214.ppp.cs.tu-berlin.de [130.149.17.214]) by mail.cs.tu-berlin.de (8.8.6/8.8.7) with ESMTP id OAA16797; Mon, 27 Oct 1997 14:13:30 +0100 (MET) Received: (from wosch@localhost) by panke.panke.de (8.8.5/8.6.12) id NAA00568; Mon, 27 Oct 1997 13:45:04 +0100 (MET) To: Don Lewis Cc: Ollivier Robert , freebsd-fs@FreeBSD.ORG Subject: Re: disabled symlinks References: <199710271128.DAA22591@salsa.gv.tsc.tdk.com> From: Wolfram Schneider Date: 27 Oct 1997 13:45:01 +0100 In-Reply-To: Don Lewis's message of Mon, 27 Oct 1997 03:28:11 -0800 Message-ID: Lines: 23 Sender: owner-freebsd-fs@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Don Lewis writes: > } > The nosymlink flag do not allow the creation of a symlink > } > on the mounted file system. > > I'd prefer an option that only affected symlinks in certain directories > (perhaps publicly writable directories). I thought about that too. May be public writable + sticky bit (mode 1777). IMHO this should be controlled by a sysctl variable 1) do not create symlinks 2) do not follow symlinks at all 3) do not follow symlinks in directories with the mode 1777 > } Could you please modify your patch not to _follow_ symlinks in order to > } disallow all symlinks in a given FS ? > > This is also reasonable, but what errno value is appropriate for syscalls > that encounter the forbidden symlinks? #define EACCES 13 /* Permission denied */ -- Wolfram Schneider http://www.apfel.de/~wosch/ From owner-freebsd-fs Mon Oct 27 09:28:07 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id JAA07577 for fs-outgoing; Mon, 27 Oct 1997 09:28:07 -0800 (PST) (envelope-from owner-freebsd-fs) Received: from usr01.primenet.com (tlambert@usr01.primenet.com [206.165.6.201]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id JAA07467 for ; Mon, 27 Oct 1997 09:27:55 -0800 (PST) (envelope-from tlambert@usr01.primenet.com) Received: (from tlambert@localhost) by usr01.primenet.com (8.8.5/8.8.5) id KAA13912; Mon, 27 Oct 1997 10:26:09 -0700 (MST) From: Terry Lambert Message-Id: <199710271726.KAA13912@usr01.primenet.com> Subject: Re: disabled symlinks To: guido@gvr.org (Guido van Rooij) Date: Mon, 27 Oct 1997 17:26:08 +0000 (GMT) Cc: roberto@keltia.freenix.fr, freebsd-fs@FreeBSD.ORG In-Reply-To: <199710270752.IAA17352@gvr.gvr.org> from "Guido van Rooij" at Oct 27, 97 08:52:41 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-fs@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > > The nosymlink flag do not allow the creation of a symlink > > > on the mounted file system. > > > > Could you please modify your patch not to _follow_ symlinks in order to > > disallow all symlinks in a given FS ? > > > > I think that mounting "nosymlinks" should mean "no symlinks whatsoever". > > In fact, perhaps this is more what you want then to disallow creation. > That would also be more in lie with nosuid. Creation of these files is okay, > but the s{u,g}id bits are not honoured. I disagree. If you disallow creation of links, then the only way links could exist is if they were put there before the mount option was specified -- ie: by the system administrator. In fact, I would prefer he modify the patch to still allow root to create symlinks. The danger you are escaping is symlinks created by your users. Personally, I'd prefer that the security holes be closed instead of worked around in this manner anyway, but if you are adding an option as administrative fiat, then it ought to respect the administrator. As far as "nosuid" goes, I will note that if root runs a program on a nosuid mounted volume, the program runs as root. And root can also "suid" to any user id, and run the program, simulating an "suid" event. So if the intent is to make it act like "nosuid", then it should only affect creation, and being root should override the option (ie: root can still create symlinks). Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. From owner-freebsd-fs Mon Oct 27 10:30:28 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id KAA12520 for fs-outgoing; Mon, 27 Oct 1997 10:30:28 -0800 (PST) (envelope-from owner-freebsd-fs) Received: from gvr.gvr.org (root@gvr.gvr.org [194.151.74.97]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id KAA12505 for ; Mon, 27 Oct 1997 10:30:11 -0800 (PST) (envelope-from guido@gvr.org) Received: (from guido@localhost) by gvr.gvr.org (8.8.6/8.8.5) id TAA01989; Mon, 27 Oct 1997 19:28:51 +0100 (MET) From: Guido van Rooij Message-Id: <199710271828.TAA01989@gvr.gvr.org> Subject: Re: disabled symlinks In-Reply-To: <199710271726.KAA13912@usr01.primenet.com> from Terry Lambert at "Oct 27, 97 05:26:08 pm" To: tlambert@primenet.com (Terry Lambert) Date: Mon, 27 Oct 1997 19:28:51 +0100 (MET) Cc: roberto@keltia.freenix.fr, freebsd-fs@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-fs@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > As far as "nosuid" goes, I will note that if root runs a program on > a nosuid mounted volume, the program runs as root. And root can also > "suid" to any user id, and run the program, simulating an "suid" event. > ?? So what. That isn;t the issue here. If root runs rm -rf / things will also break. That has nothing to do with suid. > So if the intent is to make it act like "nosuid", then it should only > affect creation, and being root should override the option (ie: root > can still create symlinks). I still think otherwise. Now that symlinks do have owners, teh same can be achieved by only following symlinks if they are owned by root. -Guido From owner-freebsd-fs Mon Oct 27 10:56:25 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id KAA14715 for fs-outgoing; Mon, 27 Oct 1997 10:56:25 -0800 (PST) (envelope-from owner-freebsd-fs) Received: from smtp04.primenet.com (smtp04.primenet.com [206.165.5.85]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id KAA14708 for ; Mon, 27 Oct 1997 10:56:20 -0800 (PST) (envelope-from tlambert@usr04.primenet.com) Received: (from daemon@localhost) by smtp04.primenet.com (8.8.7/8.8.7) id LAA16860; Mon, 27 Oct 1997 11:56:14 -0700 (MST) Received: from usr04.primenet.com(206.165.6.204) via SMTP by smtp04.primenet.com, id smtpd016845; Mon Oct 27 11:56:04 1997 Received: (from tlambert@localhost) by usr04.primenet.com (8.8.5/8.8.5) id LAA25520; Mon, 27 Oct 1997 11:56:01 -0700 (MST) From: Terry Lambert Message-Id: <199710271856.LAA25520@usr04.primenet.com> Subject: Re: disabled symlinks To: guido@gvr.org (Guido van Rooij) Date: Mon, 27 Oct 1997 18:56:01 +0000 (GMT) Cc: tlambert@primenet.com, roberto@keltia.freenix.fr, freebsd-fs@FreeBSD.ORG In-Reply-To: <199710271828.TAA01989@gvr.gvr.org> from "Guido van Rooij" at Oct 27, 97 07:28:51 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-fs@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > As far as "nosuid" goes, I will note that if root runs a program on > > a nosuid mounted volume, the program runs as root. And root can also > > "suid" to any user id, and run the program, simulating an "suid" event. > > ?? So what. That isn;t the issue here. If root runs rm -rf / things > will also break. That has nothing to do with suid. The "nosuid" was someone else's analogy. If you want nosymlink to be analogous, then excepting root from enforcement is the correct way to do it. > I still think otherwise. Now that symlinks do have owners, teh > same can be achieved by only following symlinks if they are > owned by root. This is much less objectionable to me than not following symlinks; on the other hand, you only need to *either* not allow them *OR* not follow them. The protection doesn't get better if you do both. Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. From owner-freebsd-fs Mon Oct 27 19:08:21 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id TAA19097 for fs-outgoing; Mon, 27 Oct 1997 19:08:21 -0800 (PST) (envelope-from owner-freebsd-fs) Received: from sasami.jurai.net (winter@sasami.jurai.net [207.96.1.17]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id TAA19092 for ; Mon, 27 Oct 1997 19:08:18 -0800 (PST) (envelope-from winter@jurai.net) Received: from localhost (winter@localhost) by sasami.jurai.net (8.8.7/8.8.7) with SMTP id WAA17386; Mon, 27 Oct 1997 22:07:33 -0500 (EST) Date: Mon, 27 Oct 1997 22:07:32 -0500 (EST) From: "Matthew N. Dodd" To: Wolfram Schneider cc: Don Lewis , Ollivier Robert , freebsd-fs@FreeBSD.ORG Subject: Re: disabled symlinks In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-fs@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On 27 Oct 1997, Wolfram Schneider wrote: > I thought about that too. May be public writable + sticky bit (mode 1777). > IMHO this should be controlled by a sysctl variable > 1) do not create symlinks > 2) do not follow symlinks at all > 3) do not follow symlinks in directories with the mode 1777 Or discrete mount options? nocsymlink nofsymlink etc? /* Matthew N. Dodd | A memory retaining a love you had for life winter@jurai.net | As cruel as it seems nothing ever seems to http://www.jurai.net/~winter | go right - FLA M 3.1:53 */ From owner-freebsd-fs Tue Oct 28 07:34:21 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id HAA29308 for fs-outgoing; Tue, 28 Oct 1997 07:34:21 -0800 (PST) (envelope-from owner-freebsd-fs) Received: from mailer.zib.de (mailer.zib.de [130.73.108.11]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id HAA29189 for ; Tue, 28 Oct 1997 07:33:49 -0800 (PST) (envelope-from wolfram@softs11.zib.de) Received: from soft13.zib.de (soft13.zib.de [130.73.63.13] (may be forged)) by mailer.zib.de (8.8.7/8.8.7) with SMTP id QAA18146; Tue, 28 Oct 1997 16:33:20 +0100 (MET) Received: by soft13.zib.de (SMI-8.6/SMI-SVR4) id QAA04035; Tue, 28 Oct 1997 16:33:19 +0100 Date: Tue, 28 Oct 1997 16:33:19 +0100 Message-Id: <199710281533.QAA04035@soft13.zib.de> From: Wolfram Schneider To: Ollivier Robert Cc: freebsd-fs@FreeBSD.ORG Subject: Re: disabled symlinks In-Reply-To: <19971027001140.31561@keltia.freenix.fr> References: <199710261041.LAA00556@panke.panke.de> <19971027001140.31561@keltia.freenix.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-fs@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Ollivier Robert writes: >According to Wolfram Schneider: >> The nosymlink flag do not allow the creation of a symlink >> on the mounted file system. >Could you please modify your patch not to _follow_ symlinks in order to >disallow all symlinks in a given FS ? The patch return 'Permission denied' for symlinks in the kernel function namei/lookup. Index: vfs_lookup.c =================================================================== RCS file: /usr/cvs/src/sys/kern/vfs_lookup.c,v retrieving revision 1.11.4.1 diff -u -r1.11.4.1 vfs_lookup.c --- vfs_lookup.c 1996/12/03 15:48:25 1.11.4.1 +++ vfs_lookup.c 1997/10/27 14:51:56 @@ -493,6 +493,10 @@ ((cnp->cn_flags & FOLLOW) || trailing_slash || *ndp->ni_next == '/')) { cnp->cn_flags |= ISSYMLINK; + if (dp->v_mount->mnt_flag & MNT_NOSYMLINK) { + error = EACCES; + goto bad2; + } return (0); } From owner-freebsd-fs Wed Oct 29 16:40:15 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id QAA28936 for fs-outgoing; Wed, 29 Oct 1997 16:40:15 -0800 (PST) (envelope-from owner-freebsd-fs) Received: from mail.cs.tu-berlin.de (root@mail.cs.tu-berlin.de [130.149.17.13]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id QAA28929 for ; Wed, 29 Oct 1997 16:40:11 -0800 (PST) (envelope-from wosch@cs.tu-berlin.de) Received: from panke.panke.de (anonymous215.ppp.cs.tu-berlin.de [130.149.17.215]) by mail.cs.tu-berlin.de (8.8.6/8.8.7) with ESMTP id BAA18061; Thu, 30 Oct 1997 01:37:18 +0100 (MET) Received: (from wosch@localhost) by panke.panke.de (8.8.5/8.6.12) id AAA00609; Thu, 30 Oct 1997 00:57:02 +0100 (MET) To: Terry Lambert Cc: freebsd-fs@FreeBSD.ORG Subject: Re: disabled symlinks References: <199710271726.KAA13912@usr01.primenet.com> From: Wolfram Schneider Date: 30 Oct 1997 00:57:00 +0100 In-Reply-To: Terry Lambert's message of Mon, 27 Oct 1997 17:26:08 +0000 (GMT) Message-ID: Lines: 19 Sender: owner-freebsd-fs@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Terry Lambert writes: > In fact, I would prefer he modify the patch to still allow root to > create symlinks. Agreed. Good idea! > The danger you are escaping is symlinks created by your users. Right. > Personally, I'd prefer that the security holes be closed instead of > worked around in this manner anyway, uh-huh ;-) -- Wolfram Schneider http://www.apfel.de/~wosch/ From owner-freebsd-fs Wed Oct 29 17:28:37 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id RAA02385 for fs-outgoing; Wed, 29 Oct 1997 17:28:37 -0800 (PST) (envelope-from owner-freebsd-fs) Received: from global.com (global.com [206.40.50.1]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id RAA02376 for ; Wed, 29 Oct 1997 17:28:33 -0800 (PST) (envelope-from gopu@global.com) Message-ID: <3457E1F0.AC037AFD@global.com> Date: Wed, 29 Oct 1997 17:25:04 -0800 From: Gopakumar H Pillai Organization: Global Automation Inc. X-Mailer: Mozilla 4.02 [en] (Win95; I) MIME-Version: 1.0 To: fs@freebsd.org Subject: Help in disk recovery Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-fs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I am a sysadmin, fairly new to the job. The OS is FreeBSD 2.2.2. I had a disk sd0s1e of 2GB and sd1s1e of 1GB. In the process of finding out the device name of the tape drive I did a "tar cvf rsd0 /tmp". The amount of data I have written over the raw disk is about 20K. This disk has /usr. I need to retrieve /usr, mainly my mails in /usr/home. How should I go about it? I retrieved sd1s1e, i.e. /var and got the /var/mail. I cannot mount or fsck this device since it complains, improper superblock. I have another machine with similar partitioning, would that help? How can I make an exact image of the ruined disk on another one of the same hardware configuration? Which is a good book to know the inside out of the FreeBSD 2.2.2 File system? -- --Gopu (gopu@global.com) From owner-freebsd-fs Thu Oct 30 15:20:09 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id PAA19776 for fs-outgoing; Thu, 30 Oct 1997 15:20:09 -0800 (PST) (envelope-from owner-freebsd-fs) Received: from mail.cs.tu-berlin.de (root@mail.cs.tu-berlin.de [130.149.17.13]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id PAA19676 for ; Thu, 30 Oct 1997 15:19:30 -0800 (PST) (envelope-from wosch@cs.tu-berlin.de) Received: from panke.panke.de (anonymous216.ppp.cs.tu-berlin.de [130.149.17.216]) by mail.cs.tu-berlin.de (8.8.6/8.8.7) with ESMTP id AAA12864; Fri, 31 Oct 1997 00:16:56 +0100 (MET) Received: (from wosch@localhost) by panke.panke.de (8.8.5/8.6.12) id AAA00468; Fri, 31 Oct 1997 00:13:53 +0100 (MET) To: Ollivier Robert Cc: freebsd-fs@FreeBSD.ORG Subject: Re: disabled symlinks References: <199710261041.LAA00556@panke.panke.de> <19971027001140.31561@keltia.freenix.fr> From: Wolfram Schneider Date: 31 Oct 1997 00:13:48 +0100 In-Reply-To: Ollivier Robert's message of Mon, 27 Oct 1997 00:11:40 +0100 Message-ID: Lines: 241 Sender: owner-freebsd-fs@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Ollivier Robert writes: > Could you please modify your patch not to _follow_ symlinks in order to > disallow all symlinks in a given FS ? I split the nosymlink flag into 3 flags nosymlinkcreate Do not allow the creation of a symlink(2) for non-root users on the mounted file system. nosymlinkfollow Do not follow symlinks on the mounted file system. nosymlinkpubdir Do not allow the creation of a symlink(2) for non-root users in public writable directories with the sticky bit (mode 1777) on the mounted file system. Index: sys/sys/mount.h =================================================================== RCS file: /usr/cvs/src/sys/sys/mount.h,v retrieving revision 1.34.2.1 diff -u -r1.34.2.1 mount.h --- mount.h 1997/08/17 13:33:43 1.34.2.1 +++ mount.h 1997/10/30 17:04:30 @@ -161,6 +161,10 @@ #define MNT_UNION 0x00000020 /* union with underlying filesystem */ #define MNT_ASYNC 0x00000040 /* file system written asynchronously */ #define MNT_NOATIME 0x10000000 /* Disable update of file access times */ +#define MNT_NOSYMLINKCREATE 0x20000000 /* do not create symlinks */ +#define MNT_NOSYMLINKFOLLOW 0x40000000 /* do not follow symlinks */ +/* do not create symlinks in public writable directories with sticky bit */ +#define MNT_NOSYMLINKPUBDIR 0x80000000 /* * exported mount flags. @@ -185,7 +189,9 @@ #define MNT_VISFLAGMASK (MNT_RDONLY|MNT_SYNCHRONOUS|MNT_NOEXEC|MNT_NOSUID| \ MNT_NODEV|MNT_UNION|MNT_ASYNC|MNT_EXRDONLY|MNT_EXPORTED| \ MNT_DEFEXPORTED|MNT_EXPORTANON|MNT_EXKERB|MNT_LOCAL| \ - MNT_QUOTA|MNT_ROOTFS|MNT_USER|MNT_NOATIME) + MNT_QUOTA|MNT_ROOTFS|MNT_USER|MNT_NOATIME|\ + MNT_NOSYMLINKCREATE|MNT_NOSYMLINKFOLLOW|\ + MNT_NOSYMLINKPUBDIR) /* * filesystem control flags. Index: sys/kern/vfs_lookup.c =================================================================== RCS file: /usr/cvs/src/sys/kern/vfs_lookup.c,v retrieving revision 1.11.4.1 diff -u -r1.11.4.1 vfs_lookup.c --- vfs_lookup.c 1996/12/03 15:48:25 1.11.4.1 +++ vfs_lookup.c 1997/10/30 17:05:55 @@ -493,6 +493,10 @@ ((cnp->cn_flags & FOLLOW) || trailing_slash || *ndp->ni_next == '/')) { cnp->cn_flags |= ISSYMLINK; + if (dp->v_mount->mnt_flag & MNT_NOSYMLINKFOLLOW) { + error = EACCES; + goto bad2; + } return (0); } Index: sys/kern/vfs_syscalls.c =================================================================== RCS file: /usr/cvs/src/sys/kern/vfs_syscalls.c,v retrieving revision 1.51.2.6 diff -u -r1.51.2.6 vfs_syscalls.c --- vfs_syscalls.c 1997/10/23 18:04:55 1.51.2.6 +++ vfs_syscalls.c 1997/10/30 22:24:47 @@ -183,9 +183,11 @@ else if (mp->mnt_flag & MNT_RDONLY) mp->mnt_flag |= MNT_WANTRDWR; mp->mnt_flag &=~ (MNT_NOSUID | MNT_NOEXEC | MNT_NODEV | - MNT_SYNCHRONOUS | MNT_UNION | MNT_ASYNC | MNT_NOATIME); + MNT_SYNCHRONOUS | MNT_UNION | MNT_ASYNC | MNT_NOATIME | + MNT_NOSYMLINKCREATE | MNT_NOSYMLINKFOLLOW | MNT_NOSYMLINKPUBDIR); mp->mnt_flag |= uap->flags & (MNT_NOSUID | MNT_NOEXEC | MNT_NODEV | - MNT_SYNCHRONOUS | MNT_UNION | MNT_ASYNC | MNT_FORCE | MNT_NOATIME); + MNT_SYNCHRONOUS | MNT_UNION | MNT_ASYNC | MNT_FORCE | MNT_NOATIME | + MNT_NOSYMLINKCREATE | MNT_NOSYMLINKFOLLOW | MNT_NOSYMLINKPUBDIR); /* * Mount the filesystem. */ @@ -1326,8 +1328,10 @@ return (error); vp = nd.ni_vp; error = vn_stat(vp, &sb, p); - if (vp->v_type == VLNK) + if (vp->v_type == VLNK && + (vp->v_mount->mnt_flag & MNT_NOSYMLINKFOLLOW) != 0) sb.st_mode |= S_IFLNK | ACCESSPERMS; /* 0777 */ + vput(vp); if (error) return (error); Index: sys/kern/vfs_vnops.c =================================================================== RCS file: /usr/cvs/src/sys/kern/vfs_vnops.c,v retrieving revision 1.26.2.2 diff -u -r1.26.2.2 vfs_vnops.c --- vfs_vnops.c 1997/03/08 15:16:18 1.26.2.2 +++ vfs_vnops.c 1997/10/30 22:24:34 @@ -353,6 +353,9 @@ break; case VLNK: mode |= S_IFLNK; + /* mark symlinks as unreadable, cosmetic, 000 */ + if (vp->v_mount->mnt_flag & MNT_NOSYMLINKFOLLOW) + mode &= ~ACCESSPERMS; break; case VSOCK: mode |= S_IFSOCK; Index: sys/ufs/ufs/ufs_vnops.c =================================================================== RCS file: /usr/cvs/src/sys/ufs/ufs/ufs_vnops.c,v retrieving revision 1.41.2.3 diff -u -r1.41.2.3 ufs_vnops.c --- ufs_vnops.c 1997/06/29 08:48:50 1.41.2.3 +++ ufs_vnops.c 1997/10/30 17:53:53 @@ -1515,6 +1515,26 @@ register struct inode *ip; int len, error; + /* do not create symlinks for non-root users */ + if (ap->a_dvp->v_mount->mnt_flag & MNT_NOSYMLINKCREATE && + ap->a_cnp->cn_cred->cr_uid != 0) { + vput(ap->a_dvp); + return ENOSYS; + } else + + /* + * Do not create symlinks for non-root users in + * public writable directories with sticky bit (mode = 41777) + */ + if (ap->a_dvp->v_mount->mnt_flag & MNT_NOSYMLINKPUBDIR && + ap->a_cnp->cn_cred->cr_uid != 0 && + (VTOI(ap->a_dvp)->i_mode & + (S_IFDIR | S_ISTXT | S_IRWXU | S_IRWXG | S_IRWXO)) == + (S_IFDIR | S_ISTXT | S_IRWXU | S_IRWXG | S_IRWXO)) { + vput(ap->a_dvp); + return ENOSYS; + } + error = ufs_makeinode(IFLNK | ap->a_vap->va_mode, ap->a_dvp, vpp, ap->a_cnp); if (error) Index: sbin/mount/mntopts.h =================================================================== RCS file: /usr/cvs/src/sbin/mount/mntopts.h,v retrieving revision 1.7 diff -u -r1.7 mntopts.h --- mntopts.h 1996/09/03 07:13:55 1.7 +++ mntopts.h 1997/10/30 18:07:12 @@ -47,6 +47,9 @@ #define MOPT_NODEV { "dev", 1, MNT_NODEV, 0 } #define MOPT_NOEXEC { "exec", 1, MNT_NOEXEC, 0 } #define MOPT_NOSUID { "suid", 1, MNT_NOSUID, 0 } +#define MOPT_NOSYMLINKCREATE { "symlinkcreate", 1, MNT_NOSYMLINKCREATE, 0 } +#define MOPT_NOSYMLINKFOLLOW { "symlinkfollow", 1, MNT_NOSYMLINKFOLLOW, 0 } +#define MOPT_NOSYMLINKPUBDIR { "symlinkpubdir", 1, MNT_NOSYMLINKPUBDIR, 0 } #define MOPT_RDONLY { "rdonly", 0, MNT_RDONLY, 0 } #define MOPT_SYNC { "sync", 0, MNT_SYNCHRONOUS, 0 } #define MOPT_UNION { "union", 0, MNT_UNION, 0 } @@ -75,6 +78,9 @@ MOPT_NODEV, \ MOPT_NOEXEC, \ MOPT_NOSUID, \ + MOPT_NOSYMLINKCREATE, \ + MOPT_NOSYMLINKFOLLOW, \ + MOPT_NOSYMLINKPUBDIR, \ MOPT_RDONLY, \ MOPT_UNION Index: sbin/mount/mount.8 =================================================================== RCS file: /usr/cvs/src/sbin/mount/mount.8,v retrieving revision 1.11.2.2 diff -u -r1.11.2.2 mount.8 --- mount.8 1997/08/24 17:52:01 1.11.2.2 +++ mount.8 1997/10/30 18:00:57 @@ -134,6 +134,20 @@ wrapper like .Xr suidperl is installed on your system. +.It nosymlinkcreate +Do not allow the creation of a +.Xr symlink 2 +for non-root users +on the mounted file system. +.It nosymlinkfollow +Do not follow symlinks +on the mounted file system. +.It nosymlinkpubdir +Do not allow the creation of a +.Xr symlink 2 +for non-root users in public writable directories with the +sticky bit (mode 1777) +on the mounted file system. .It rdonly The same as .Fl r ; Index: sbin/mount/mount.c =================================================================== RCS file: /usr/cvs/src/sbin/mount/mount.c,v retrieving revision 1.15 diff -u -r1.15 mount.c --- mount.c 1996/09/03 07:13:56 1.15 +++ mount.c 1997/10/30 17:58:35 @@ -92,6 +92,9 @@ { MNT_NODEV, "nodev" }, { MNT_NOEXEC, "noexec" }, { MNT_NOSUID, "nosuid" }, + { MNT_NOSYMLINKCREATE, "nosymlinkcreate" }, + { MNT_NOSYMLINKFOLLOW, "nosymlinkfollow" }, + { MNT_NOSYMLINKPUBDIR, "nosymlinkpubdir" }, { MNT_QUOTA, "with quotas" }, { MNT_RDONLY, "read-only" }, { MNT_SYNCHRONOUS, "synchronous" }, @@ -588,6 +591,15 @@ if (ent->f_flags & MNT_ASYNC) printf (",async"); + + if (ent->f_flags & MNT_NOSYMLINKCREATE) + printf (",nosymlinkcreate"); + + if (ent->f_flags & MNT_NOSYMLINKFOLLOW) + printf (",nosymlinkfollow"); + + if (ent->f_flags & MNT_NOSYMLINKPUBDIR) + printf (",nosymlinkpubdir"); if (fst = getfsspec (ent->f_mntfromname)) printf ("\t%u %u\n", fst->fs_freq, fst->fs_passno); -- Wolfram Schneider http://www.apfel.de/~wosch/ From owner-freebsd-fs Thu Oct 30 17:11:58 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id RAA26572 for fs-outgoing; Thu, 30 Oct 1997 17:11:58 -0800 (PST) (envelope-from owner-freebsd-fs) Received: from gatekeeper.tsc.tdk.com (root@gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id RAA26566 for ; Thu, 30 Oct 1997 17:11:54 -0800 (PST) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.4/8.8.4) with ESMTP id RAA12839; Thu, 30 Oct 1997 17:11:26 -0800 (PST) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id RAA06367; Thu, 30 Oct 1997 17:11:25 -0800 (PST) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id RAA02224; Thu, 30 Oct 1997 17:11:24 -0800 (PST) From: Don Lewis Message-Id: <199710310111.RAA02224@salsa.gv.tsc.tdk.com> Date: Thu, 30 Oct 1997 17:11:23 -0800 In-Reply-To: Wolfram Schneider "Re: disabled symlinks" (Oct 31, 12:13am) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Wolfram Schneider , Ollivier Robert Subject: Re: disabled symlinks Cc: freebsd-fs@FreeBSD.ORG Sender: owner-freebsd-fs@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Oct 31, 12:13am, Wolfram Schneider wrote: } Subject: Re: disabled symlinks } Index: sys/kern/vfs_syscalls.c } =================================================================== } RCS file: /usr/cvs/src/sys/kern/vfs_syscalls.c,v } retrieving revision 1.51.2.6 } diff -u -r1.51.2.6 vfs_syscalls.c } --- vfs_syscalls.c 1997/10/23 18:04:55 1.51.2.6 } +++ vfs_syscalls.c 1997/10/30 22:24:47 } @@ -1326,8 +1328,10 @@ } return (error); } vp = nd.ni_vp; } error = vn_stat(vp, &sb, p); } - if (vp->v_type == VLNK) } + if (vp->v_type == VLNK && } + (vp->v_mount->mnt_flag & MNT_NOSYMLINKFOLLOW) != 0) This test looks backwards to me (it changes the behavior if the new nosymlinkfollow option is not set). I'm also not clear as to why the behaviour even depends on the option. Also, shouldn't the same change be made to both lstat() and olstat()? } sb.st_mode |= S_IFLNK | ACCESSPERMS; /* 0777 */ } + } vput(vp); } if (error) } return (error); --- Truck From owner-freebsd-fs Fri Oct 31 04:34:57 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id EAA02058 for fs-outgoing; Fri, 31 Oct 1997 04:34:57 -0800 (PST) (envelope-from owner-freebsd-fs) Received: from mail.cs.tu-berlin.de (root@mail.cs.tu-berlin.de [130.149.17.13]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id EAA02051 for ; Fri, 31 Oct 1997 04:34:47 -0800 (PST) (envelope-from wosch@cs.tu-berlin.de) Received: from panke.panke.de (anonymous214.ppp.cs.tu-berlin.de [130.149.17.214]) by mail.cs.tu-berlin.de (8.8.6/8.8.7) with ESMTP id NAA15425; Fri, 31 Oct 1997 13:27:16 +0100 (MET) Received: (from wosch@localhost) by panke.panke.de (8.8.5/8.6.12) id MAA00284; Fri, 31 Oct 1997 12:09:19 +0100 (MET) To: Don Lewis Cc: Wolfram Schneider , Ollivier Robert , freebsd-fs@freebsd.org Subject: Re: disabled symlinks References: <199710310111.RAA02224@salsa.gv.tsc.tdk.com> From: Wolfram Schneider Date: 31 Oct 1997 12:09:17 +0100 In-Reply-To: Don Lewis's message of Thu, 30 Oct 1997 17:11:23 -0800 Message-ID: Lines: 51 Sender: owner-freebsd-fs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Don Lewis writes: > On Oct 31, 12:13am, Wolfram Schneider wrote: > } Subject: Re: disabled symlinks > } Index: sys/kern/vfs_syscalls.c > } =================================================================== > } RCS file: /usr/cvs/src/sys/kern/vfs_syscalls.c,v > } retrieving revision 1.51.2.6 > } diff -u -r1.51.2.6 vfs_syscalls.c > } --- vfs_syscalls.c 1997/10/23 18:04:55 1.51.2.6 > } +++ vfs_syscalls.c 1997/10/30 22:24:47 > } @@ -1326,8 +1328,10 @@ > } return (error); > } vp = nd.ni_vp; > } error = vn_stat(vp, &sb, p); > } - if (vp->v_type == VLNK) > } + if (vp->v_type == VLNK && > } + (vp->v_mount->mnt_flag & MNT_NOSYMLINKFOLLOW) != 0) ^^ > This test looks backwards to me (it changes the behavior if the > new nosymlinkfollow option is not set). I'm also not clear as > to why the behaviour even depends on the option. It is a typo and should be (vp->v_mount->mnt_flag & MNT_NOSYMLINKFOLLOW) == 0) Thanks for the hint! vfs_syscalls.c rev 1.62 Symlinks do not have modes though, they are accessable to everything that can read the directory (as before). They are made to show this fact at lstat time (they appear as mode 0777 always, since that's how the the lookup routines in the kernel treat them). Now it will be (in function lstat and vn_stat) if (symbolic link) { if (does not follow symlinks) change the mode to 0000 (l---------) else change the mode to 0777 (lrwxrwxrwx) } > Also, shouldn't > the same change be made to both lstat() and olstat()? This is a cosmetic change. I don't think we should change old system calls if it is not necessary. I doubt that anybody use an old ls(1) command. -- Wolfram Schneider http://www.apfel.de/~wosch/ From owner-freebsd-fs Fri Oct 31 05:29:10 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id FAA05189 for fs-outgoing; Fri, 31 Oct 1997 05:29:10 -0800 (PST) (envelope-from owner-freebsd-fs) Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.2.228.19]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id FAA05180 for ; Fri, 31 Oct 1997 05:29:06 -0800 (PST) (envelope-from bde@zeta.org.au) Received: (from bde@localhost) by godzilla.zeta.org.au (8.8.7/8.6.9) id AAA17135; Sat, 1 Nov 1997 00:25:57 +1100 Date: Sat, 1 Nov 1997 00:25:57 +1100 From: Bruce Evans Message-Id: <199710311325.AAA17135@godzilla.zeta.org.au> To: Don.Lewis@tsc.tdk.com, wosch@cs.tu-berlin.de Subject: Re: disabled symlinks Cc: freebsd-fs@FreeBSD.ORG, roberto@keltia.freenix.fr Sender: owner-freebsd-fs@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk >> } diff -u -r1.51.2.6 vfs_syscalls.c >> } --- vfs_syscalls.c 1997/10/23 18:04:55 1.51.2.6 >> } +++ vfs_syscalls.c 1997/10/30 22:24:47 >> } @@ -1326,8 +1328,10 @@ >> } return (error); >> } vp = nd.ni_vp; >> } error = vn_stat(vp, &sb, p); >> } - if (vp->v_type == VLNK) >> } + if (vp->v_type == VLNK && >> } + (vp->v_mount->mnt_flag & MNT_NOSYMLINKFOLLOW) != 0) > ^^ > >> This test looks backwards to me (it changes the behavior if the >> new nosymlinkfollow option is not set). I'm also not clear as >> to why the behaviour even depends on the option. It's also wrong because it breaks the setting of S_IFLNK. >vfs_syscalls.c rev 1.62 >Symlinks do not have modes though, they are accessable to everything that >can read the directory (as before). They are made to show this fact at >lstat time (they appear as mode 0777 always, since that's how the the >lookup routines in the kernel treat them). This seems OK. >> Also, shouldn't >> the same change be made to both lstat() and olstat()? > >This is a cosmetic change. I don't think we should change >old system calls if it is not necessary. I doubt that anybody >use an old ls(1) command. Old syscalls should work as consistently as possible if they are supported. Bruce From owner-freebsd-fs Fri Oct 31 10:39:18 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id KAA26391 for fs-outgoing; Fri, 31 Oct 1997 10:39:18 -0800 (PST) (envelope-from owner-freebsd-fs) Received: from smtp04.primenet.com (smtp04.primenet.com [206.165.5.85]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id KAA26384 for ; Fri, 31 Oct 1997 10:39:12 -0800 (PST) (envelope-from tlambert@usr05.primenet.com) Received: (from daemon@localhost) by smtp04.primenet.com (8.8.7/8.8.7) id LAA02651; Fri, 31 Oct 1997 11:39:04 -0700 (MST) Received: from usr05.primenet.com(206.165.6.205) via SMTP by smtp04.primenet.com, id smtpd002631; Fri Oct 31 11:38:54 1997 Received: (from tlambert@localhost) by usr05.primenet.com (8.8.5/8.8.5) id LAA01803; Fri, 31 Oct 1997 11:38:36 -0700 (MST) From: Terry Lambert Message-Id: <199710311838.LAA01803@usr05.primenet.com> Subject: Re: disabled symlinks To: wosch@cs.tu-berlin.de (Wolfram Schneider) Date: Fri, 31 Oct 1997 18:38:35 +0000 (GMT) Cc: Don.Lewis@tsc.tdk.com, wosch@cs.tu-berlin.de, roberto@keltia.freenix.fr, freebsd-fs@FreeBSD.ORG In-Reply-To: from "Wolfram Schneider" at Oct 31, 97 12:09:17 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-fs@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > Also, shouldn't > > the same change be made to both lstat() and olstat()? > > This is a cosmetic change. I don't think we should change > old system calls if it is not necessary. I doubt that anybody > use an old ls(1) command. This whole thing was billed as a security workaround for a race condition that didn't want to get fixed the right way. 8-(. If it's for security, what prevents a putative hacker from calling legacy code which uses the olstat entry point? Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. From owner-freebsd-fs Fri Oct 31 10:50:03 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id KAA27192 for fs-outgoing; Fri, 31 Oct 1997 10:50:03 -0800 (PST) (envelope-from owner-freebsd-fs) Received: from mail.cs.tu-berlin.de (root@mail.cs.tu-berlin.de [130.149.17.13]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id KAA27150 for ; Fri, 31 Oct 1997 10:49:52 -0800 (PST) (envelope-from wosch@cs.tu-berlin.de) Received: from panke.panke.de (anonymous222.ppp.cs.tu-berlin.de [130.149.17.222]) by mail.cs.tu-berlin.de (8.8.6/8.8.7) with ESMTP id TAA23089; Fri, 31 Oct 1997 19:48:00 +0100 (MET) Received: (from wosch@localhost) by panke.panke.de (8.8.5/8.6.12) id SAA00626; Fri, 31 Oct 1997 18:45:20 +0100 (MET) Message-ID: <19971031184519.12801@panke.de> Date: Fri, 31 Oct 1997 18:45:19 +0100 From: Wolfram Schneider To: Bruce Evans Cc: Don.Lewis@tsc.tdk.com, wosch@cs.tu-berlin.de, freebsd-fs@FreeBSD.ORG, roberto@keltia.freenix.fr Subject: Re: disabled symlinks References: <199710311325.AAA17135@godzilla.zeta.org.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.79 In-Reply-To: <199710311325.AAA17135@godzilla.zeta.org.au>; from Bruce Evans on Sat, Nov 01, 1997 at 12:25:57AM +1100 Sender: owner-freebsd-fs@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On 1997-11-01 00:25:57 +1100, Bruce Evans wrote: > >> } diff -u -r1.51.2.6 vfs_syscalls.c > >> } --- vfs_syscalls.c 1997/10/23 18:04:55 1.51.2.6 > >> } +++ vfs_syscalls.c 1997/10/30 22:24:47 > >> } @@ -1326,8 +1328,10 @@ > >> } return (error); > >> } vp = nd.ni_vp; > >> } error = vn_stat(vp, &sb, p); > >> } - if (vp->v_type == VLNK) > >> } + if (vp->v_type == VLNK && > >> } + (vp->v_mount->mnt_flag & MNT_NOSYMLINKFOLLOW) != 0) > > ^^ > > > >> This test looks backwards to me (it changes the behavior if the > >> new nosymlinkfollow option is not set). I'm also not clear as > >> to why the behaviour even depends on the option. > > It's also wrong because it breaks the setting of S_IFLNK. S_IFLNK was already set in vn_stat. -- Wolfram Schneider http://www.apfel.de/~wosch/