From owner-freebsd-fs@FreeBSD.ORG Mon Jan 26 15:19:16 2004 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 955B616A4CE; Mon, 26 Jan 2004 15:19:16 -0800 (PST) Received: from sccrmhc13.comcast.net (sccrmhc13.comcast.net [204.127.202.64]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1DB6843D3F; Mon, 26 Jan 2004 15:19:15 -0800 (PST) (envelope-from julian@elischer.org) Received: from interjet.elischer.org ([24.7.73.28]) by comcast.net (sccrmhc13) with ESMTP id <2004012623191301600j1ua5e>; Mon, 26 Jan 2004 23:19:14 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id PAA80167; Mon, 26 Jan 2004 15:19:13 -0800 (PST) Date: Mon, 26 Jan 2004 15:19:12 -0800 (PST) From: Julian Elischer To: Pawel Jakub Dawidek In-Reply-To: <20040126230034.GK565@garage.freebsd.pl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-fs@freebsd.org cc: rwatson@freebsd.org Subject: Re: Analysis of mounts/unmounts issues. X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Jan 2004 23:19:16 -0000 On Tue, 27 Jan 2004, Pawel Jakub Dawidek wrote: > Hello. > > This is a short analysis of mount(2)/unmount(2) problems related to > usermounts, unprivileged root and jails. > > I've found many issues related to this topic, here is a list of those issues: > > 1. Root from inside of jail is able to unmount _any_ file system > (except /) from even outside of jail. > 2. Even if security.bsd.suser is set to 0, root is able to unmount > file systems mounted by provileged root (except /). > 3. If usermount is set to 1, user from inside of jail is able to > mount file system (if support for required file system is > compiled in kernel of loaded as a kld module), but with > MNT_NOSUID and MNT_NODEV flags set. > Insufficient check is in two place: for normal mounts and > for mounts with MNT_UPDATE flag set. > 4. Let's assume that usermount is set to 1 and user mounts file system, > now we're setting usermount to 0 and user is still able to > unmount file system mounted by him previously. > > My fix deny any mounts/unmounts inside of jail and deny mounts/unmounts > for unprivileged root, because there is no chance to check if > security.bsd.suser was 0 or 1 while file system was mounted. > Patch is here: > > http://garage.freebsd.pl/patches/vfs_mount.c.2.patch > > Things to discuss. > > Should we permit mounts/unmounts inside of jail if usermount is set to 1? > Maybe there should be 'jailmount' variable to control this? we need a generic way to specify what is limited in a jail.. I have applications for jails that need to be able to run 'ping' and some that need chflags().. My answer is to just "allow it" in source but that's not a general solution.. > > Should we store in mount structure value of security.bsd.suser while > file system is mounted to permit unmount and mount with MNT_UPDATE flag set > operations for unprivileged root? This will give as a complete solution. > > -- > Pawel Jakub Dawidek pawel@dawidek.net > UNIX Systems Programmer/Administrator http://garage.freebsd.pl > Am I Evil? Yes, I Am! http://cerber.sourceforge.net >