From owner-freebsd-fs@FreeBSD.ORG Mon Jan 26 14:59:44 2004 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3E2CD16A576; Mon, 26 Jan 2004 14:59:44 -0800 (PST) Received: from milla.ask33.net (milla.ask33.net [217.197.166.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7D53A43D2D; Mon, 26 Jan 2004 14:59:42 -0800 (PST) (envelope-from nick@milla.ask33.net) Received: by milla.ask33.net (Postfix, from userid 1001) id 98DAD3ABB53; Tue, 27 Jan 2004 00:00:34 +0100 (CET) Date: Tue, 27 Jan 2004 00:00:34 +0100 From: Pawel Jakub Dawidek To: freebsd-fs@freebsd.org Message-ID: <20040126230034.GK565@garage.freebsd.pl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="EVh9lyqKgK19OcEf" Content-Disposition: inline X-PGP-Key-URL: http://garage.freebsd.pl/jules.asc X-OS: FreeBSD 4.8-RELEASE-p13 i386 X-URL: http://garage.freebsd.pl User-Agent: Mutt/1.5.1i cc: rwatson@freebsd.org Subject: Analysis of mounts/unmounts issues. X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Jan 2004 22:59:44 -0000 --EVh9lyqKgK19OcEf Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello. This is a short analysis of mount(2)/unmount(2) problems related to usermounts, unprivileged root and jails. I've found many issues related to this topic, here is a list of those issue= s: 1. Root from inside of jail is able to unmount _any_ file system (except /) from even outside of jail. 2. Even if security.bsd.suser is set to 0, root is able to unmount file systems mounted by provileged root (except /). 3. If usermount is set to 1, user from inside of jail is able to mount file system (if support for required file system is compiled in kernel of loaded as a kld module), but with MNT_NOSUID and MNT_NODEV flags set. Insufficient check is in two place: for normal mounts and for mounts with MNT_UPDATE flag set. 4. Let's assume that usermount is set to 1 and user mounts file system, now we're setting usermount to 0 and user is still able to unmount file system mounted by him previously. My fix deny any mounts/unmounts inside of jail and deny mounts/unmounts for unprivileged root, because there is no chance to check if security.bsd.suser was 0 or 1 while file system was mounted. Patch is here: http://garage.freebsd.pl/patches/vfs_mount.c.2.patch Things to discuss. Should we permit mounts/unmounts inside of jail if usermount is set to 1? Maybe there should be 'jailmount' variable to control this? Should we store in mount structure value of security.bsd.suser while file system is mounted to permit unmount and mount with MNT_UPDATE flag set operations for unprivileged root? This will give as a complete solution. --=20 Pawel Jakub Dawidek pawel@dawidek.net UNIX Systems Programmer/Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am! http://cerber.sourceforge.net --EVh9lyqKgK19OcEf Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBQBWcEj/PhmMH/Mf1AQHjqgQAhyJiHNtFizojKP5ucQd77bWyxnFCZFdx Q/zZHB2ePtlzMvK05rV0AlArC1TlcOAEBAF+hRN3wMuFV9G10QjO4ujPY8PiwjwN pbhZRmRAiqpPPGU4D6dc0CdWkd7QTmAt4CRQnj3DHPjwEGYopNMx1nxY4J4gxHtz E7WZeQe1Fzc= =JXpI -----END PGP SIGNATURE----- --EVh9lyqKgK19OcEf-- From owner-freebsd-fs@FreeBSD.ORG Mon Jan 26 15:19:16 2004 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 955B616A4CE; Mon, 26 Jan 2004 15:19:16 -0800 (PST) Received: from sccrmhc13.comcast.net (sccrmhc13.comcast.net [204.127.202.64]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1DB6843D3F; Mon, 26 Jan 2004 15:19:15 -0800 (PST) (envelope-from julian@elischer.org) Received: from interjet.elischer.org ([24.7.73.28]) by comcast.net (sccrmhc13) with ESMTP id <2004012623191301600j1ua5e>; Mon, 26 Jan 2004 23:19:14 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id PAA80167; Mon, 26 Jan 2004 15:19:13 -0800 (PST) Date: Mon, 26 Jan 2004 15:19:12 -0800 (PST) From: Julian Elischer To: Pawel Jakub Dawidek In-Reply-To: <20040126230034.GK565@garage.freebsd.pl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-fs@freebsd.org cc: rwatson@freebsd.org Subject: Re: Analysis of mounts/unmounts issues. X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Jan 2004 23:19:16 -0000 On Tue, 27 Jan 2004, Pawel Jakub Dawidek wrote: > Hello. > > This is a short analysis of mount(2)/unmount(2) problems related to > usermounts, unprivileged root and jails. > > I've found many issues related to this topic, here is a list of those issues: > > 1. Root from inside of jail is able to unmount _any_ file system > (except /) from even outside of jail. > 2. Even if security.bsd.suser is set to 0, root is able to unmount > file systems mounted by provileged root (except /). > 3. If usermount is set to 1, user from inside of jail is able to > mount file system (if support for required file system is > compiled in kernel of loaded as a kld module), but with > MNT_NOSUID and MNT_NODEV flags set. > Insufficient check is in two place: for normal mounts and > for mounts with MNT_UPDATE flag set. > 4. Let's assume that usermount is set to 1 and user mounts file system, > now we're setting usermount to 0 and user is still able to > unmount file system mounted by him previously. > > My fix deny any mounts/unmounts inside of jail and deny mounts/unmounts > for unprivileged root, because there is no chance to check if > security.bsd.suser was 0 or 1 while file system was mounted. > Patch is here: > > http://garage.freebsd.pl/patches/vfs_mount.c.2.patch > > Things to discuss. > > Should we permit mounts/unmounts inside of jail if usermount is set to 1? > Maybe there should be 'jailmount' variable to control this? we need a generic way to specify what is limited in a jail.. I have applications for jails that need to be able to run 'ping' and some that need chflags().. My answer is to just "allow it" in source but that's not a general solution.. > > Should we store in mount structure value of security.bsd.suser while > file system is mounted to permit unmount and mount with MNT_UPDATE flag set > operations for unprivileged root? This will give as a complete solution. > > -- > Pawel Jakub Dawidek pawel@dawidek.net > UNIX Systems Programmer/Administrator http://garage.freebsd.pl > Am I Evil? Yes, I Am! http://cerber.sourceforge.net > From owner-freebsd-fs@FreeBSD.ORG Tue Oct 21 06:33:51 2003 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1E76816A4B3; Tue, 21 Oct 2003 06:33:51 -0700 (PDT) Received: from srv1.cosmo-project.de (srv1.cosmo-project.de [213.83.6.106]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8EC6343F3F; Tue, 21 Oct 2003 06:33:47 -0700 (PDT) (envelope-from ticso@cicely12.cicely.de) Received: from cicely5.cicely.de (cicely5.cicely.de [IPv6:3ffe:400:8d0:301:200:92ff:fe9b:20e7]) (authenticated bits=0) h9LDXdt2053834 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=OK); Tue, 21 Oct 2003 15:33:42 +0200 (CEST) (envelope-from ticso@cicely12.cicely.de) Received: from cicely12.cicely.de (cicely12.cicely.de [IPv6:3ffe:400:8d0:301::12]) by cicely5.cicely.de (8.12.10/8.12.10) with ESMTP id h9LDXcS8031729 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 21 Oct 2003 15:33:38 +0200 (CEST) (envelope-from ticso@cicely12.cicely.de) Received: from cicely12.cicely.de (localhost [127.0.0.1]) by cicely12.cicely.de (8.12.10/8.12.10) with ESMTP id h9LDXb2u044240; Tue, 21 Oct 2003 15:33:38 +0200 (CEST) (envelope-from ticso@cicely12.cicely.de) Received: (from ticso@localhost) by cicely12.cicely.de (8.12.10/8.12.10/Submit) id h9LDXbfT044239; Tue, 21 Oct 2003 15:33:37 +0200 (CEST) (envelope-from ticso) From: Bernd Walter To: Josef Karthauser , freebsd-fs@FreeBSD.org, current@FreeBSD.org Message-ID: <20031021133336.GT38650@cicely12.cicely.de> References: <20031021120918.GC15345@genius.tao.org.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20031021120918.GC15345@genius.tao.org.uk> X-Operating-System: FreeBSD cicely12.cicely.de 5.1-CURRENT alpha User-Agent: Mutt/1.5.4i Subject: Re: Problems with NFS (client) under 5.1. X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: ticso@cicely.de List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Tue, 21 Oct 2003 13:33:51 -0000 X-Original-Date: Tue, 21 Oct 2003 15:33:37 +0200 X-List-Received-Date: Tue, 21 Oct 2003 13:33:51 -0000 On Tue, Oct 21, 2003 at 01:09:18PM +0100, Josef Karthauser wrote: > I'm trying to set a FreeBSD 5.1 machine up as an NFS client. The > server is on an SGI box. Things are strange: > > phoenix# uname -a > FreeBSD phoenix.mydomain 5.1-CURRENT FreeBSD 5.1-CURRENT #0: Thu Sep 18 15:20:19 GMT 2003 root@pheonix.mydomain:/usr/obj/usr/src/sys/GENERIC i386 > > phoenix# ls -ld /mnt > drwxr-xr-x 2 root wheel 512 Jun 5 01:53 /mnt > > phoenix# mount rebus:/rebus/home /mnt > phoenix# ls -ld /mnt > ls: /mnt: Permission denied > phoenix# ls -ld /* | grep mnt > > phoenix# umount /mnt > phoenix# ls -ld /* | grep mnt > drwxr-xr-x 2 root wheel 512 Jun 5 01:53 /mnt You are root - and root is often mapped to nobody on the server. Are you shure that nobody is allowed to see? The ls -ld /mnt case is strange, but /mnt is already on the server namespace. -- B.Walter BWCT http://www.bwct.de ticso@bwct.de info@bwct.de