Date: Sat, 31 Jan 2004 14:31:59 +0100 From: Pawel Jakub Dawidek <nick@garage.freebsd.pl> To: freebsd-fs@freebsd.org Cc: rwatson@freebsd.org Subject: Re: Analysis of mounts/unmounts issues. Message-ID: <20040131133158.GE72053@garage.freebsd.pl> In-Reply-To: <20040126230034.GK565@garage.freebsd.pl> References: <20040126230034.GK565@garage.freebsd.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
--5CUMAwwhRxlRszMD Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 27, 2004 at 12:00:34AM +0100, Pawel Jakub Dawidek wrote: +> This is a short analysis of mount(2)/unmount(2) problems related to +> usermounts, unprivileged root and jails. +>=20 +> I've found many issues related to this topic, here is a list of those is= sues: +>=20 +> 1. Root from inside of jail is able to unmount _any_ file system +> (except /) from even outside of jail. +> 2. Even if security.bsd.suser is set to 0, root is able to unmount +> file systems mounted by provileged root (except /). +> 3. If usermount is set to 1, user from inside of jail is able to +> mount file system (if support for required file system is +> compiled in kernel of loaded as a kld module), but with +> MNT_NOSUID and MNT_NODEV flags set. +> Insufficient check is in two place: for normal mounts and +> for mounts with MNT_UPDATE flag set. +> 4. Let's assume that usermount is set to 1 and user mounts file system, +> now we're setting usermount to 0 and user is still able to +> unmount file system mounted by him previously. +>=20 +> My fix deny any mounts/unmounts inside of jail and deny mounts/unmounts +> for unprivileged root, because there is no chance to check if +> security.bsd.suser was 0 or 1 while file system was mounted. +> Patch is here: +>=20 +> http://garage.freebsd.pl/patches/vfs_mount.c.2.patch +>=20 +> Things to discuss. +>=20 +> Should we permit mounts/unmounts inside of jail if usermount is set to 1? +> Maybe there should be 'jailmount' variable to control this? +>=20 +> Should we store in mount structure value of security.bsd.suser while +> file system is mounted to permit unmount and mount with MNT_UPDATE flag = set +> operations for unprivileged root? This will give as a complete solution. Ok, I got complete solution. While I was looking on mksnap_ffs issue, I've found that we've MNT_USER flag to mark file systems mounted by unprivileged users. This flag is not used currently. Patch is here: http://garage.freebsd.pl/patches/mount.patch Patch made use of MNT_USER flag, so if file system is mounted by unprivileg= ed root, it can be unmounted by him as well. Mount(8) has been modified to print 'mounted by <user>' for unprivileged root also. --=20 Pawel Jakub Dawidek pawel@dawidek.net UNIX Systems Programmer/Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am! http://cerber.sourceforge.net --5CUMAwwhRxlRszMD Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBQBuuTj/PhmMH/Mf1AQEskgP5AfWJbUeLRZWRhcAas/ifhTCUq0QuDOm7 q9xrCzcwlkgbagLTHasd/Csrnzy07XQYkq/vWFRPwfri0dZ55lTRv/4jHMUF3u0x n1yQOqr0oSwYldLJLtCF3GSajxsjphvnBwl10C3rZdBqPnyn2cGOuaQUFYnKNPck KVernakb5w0= =vulA -----END PGP SIGNATURE----- --5CUMAwwhRxlRszMD--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040131133158.GE72053>