Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 20 Jul 2003 03:06:13 +0100
From:      Ian Dowse <iedowse@maths.tcd.ie>
To:        arch@freebsd.org
Subject:   *statfs exposure of file system IDs to non-root users
Message-ID:  <200307200306.aa17802@salmon.maths.tcd.ie>

next in thread | raw e-mail | index | archive | help

In changing umount(8) to use statfs(2), I just noticed that the
various *statfs calls hide the filesystem IDs from non-root users:

	if (suser(td)) {
		bcopy(sp, &sb, sizeof(sb));
		sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0;
		sp = &sb;
	}

This was added in vfs_syscalls.c revision 1.61 (March 1997) and
came from OpenBSD. I guess the reason was to hide information that
gets used in NFS filehandles, but it doesn't do us any good now as
you can get the real IDs from getfsstat() as a normal user. Being
able to get and compare file system IDs is useful for umount, and
umount can be used by non-root users when vfs.usermount is set.

Is there a good reason not to delete this fsid hiding? I guess if
we do want to keep the values used in NFS handles secret while still
exposing useful IDs to userland, we could add a separate user-side
fsid to struct mount and use that instead. The IDs for NFS need to
be persistent across reboots, but the user ones don't. Note that
NFS filesystems use a hidden generation number for each file too,
so just knowing the filesystem ID isn't enough on its own to form
a valid handle.

Ian


Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200307200306.aa17802>