Date: Mon, 20 Oct 1997 21:10:02 -0700 (PDT) From: Bruce Evans <bde@zeta.org.au> To: freebsd-bugs Subject: Re: kern/4810: Access checks in msdosfs_mount() Message-ID: <199710210410.VAA16296@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/4810; it has been noted by GNATS. From: Bruce Evans <bde@zeta.org.au> To: FreeBSD-gnats-submit@FreeBSD.ORG, pavel@slac.stanford.edu Cc: Subject: Re: kern/4810: Access checks in msdosfs_mount() Date: Tue, 21 Oct 1997 13:58:18 +1000 >>Description: > > I noticed this problem because I use a setuid wrapper to allow >non-privileged users to mount /def/fd0 as /floppy. I have noticed that >this wrapper works fine for the cd9660 fs (/dev/wcd0c on /cdrom), but >fails for msdos fs unless the setuid wrapper is executed by root. > >I have now traced to problem to the following code in msdosfs_vfsops.c: >------------------------------------------------------ > /* > * check to see that the user in owns the target directory. > * Note the very XXX trick to make sure we're checking as the > * real user -- were mount() executable by anyone, this wouldn't > * be a problem. >... >This code seems intent on checking only the real uid. Perhaps that >semantics is required for some part of the msdosfs security model, but >I find it incovenient and I can't see the justification. If the euid >of the process doing the mount is root, then I think the mount should >be allowed. In -current, mount(2) _is_ executable by anyone, and anyone can mount anything (nosuid nodev) on any directory that they own. Only the euid is checked (except in poorly maintained file systems like msdosfs). This is too insecure for a release (anyone can deny service by mounting any unmounted device) but it shows what msdosfs should do. This doesn't work in 2.2, because mount_msdos(8) is setuid root to get around the restriction on mount(2), so the euid is always root in msdosfs_mount(). The "very XXX trick" attempts to recover the previous euid by using the ruid. Fix for 2.2: remove the setuid bit from mount_msdos and change the ruid checking to euid checking. Then add the desired insecurities using a wrapper. Fix for -current: remove the setuid bit from mount_msdos and remove all uid checking from msdosfs. Somehow fix the insecurities (require at least read permission on the device being opened?). Bruce
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199710210410.VAA16296>