Date: Mon, 26 Jan 2004 15:19:12 -0800 (PST) From: Julian Elischer <julian@elischer.org> To: Pawel Jakub Dawidek <nick@garage.freebsd.pl> Cc: rwatson@freebsd.org Subject: Re: Analysis of mounts/unmounts issues. Message-ID: <Pine.BSF.4.21.0401261517410.76985-100000@InterJet.elischer.org> In-Reply-To: <20040126230034.GK565@garage.freebsd.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 27 Jan 2004, Pawel Jakub Dawidek wrote: > Hello. > > This is a short analysis of mount(2)/unmount(2) problems related to > usermounts, unprivileged root and jails. > > I've found many issues related to this topic, here is a list of those issues: > > 1. Root from inside of jail is able to unmount _any_ file system > (except /) from even outside of jail. > 2. Even if security.bsd.suser is set to 0, root is able to unmount > file systems mounted by provileged root (except /). > 3. If usermount is set to 1, user from inside of jail is able to > mount file system (if support for required file system is > compiled in kernel of loaded as a kld module), but with > MNT_NOSUID and MNT_NODEV flags set. > Insufficient check is in two place: for normal mounts and > for mounts with MNT_UPDATE flag set. > 4. Let's assume that usermount is set to 1 and user mounts file system, > now we're setting usermount to 0 and user is still able to > unmount file system mounted by him previously. > > My fix deny any mounts/unmounts inside of jail and deny mounts/unmounts > for unprivileged root, because there is no chance to check if > security.bsd.suser was 0 or 1 while file system was mounted. > Patch is here: > > http://garage.freebsd.pl/patches/vfs_mount.c.2.patch > > Things to discuss. > > Should we permit mounts/unmounts inside of jail if usermount is set to 1? > Maybe there should be 'jailmount' variable to control this? we need a generic way to specify what is limited in a jail.. I have applications for jails that need to be able to run 'ping' and some that need chflags().. My answer is to just "allow it" in source but that's not a general solution.. > > Should we store in mount structure value of security.bsd.suser while > file system is mounted to permit unmount and mount with MNT_UPDATE flag set > operations for unprivileged root? This will give as a complete solution. > > -- > Pawel Jakub Dawidek pawel@dawidek.net > UNIX Systems Programmer/Administrator http://garage.freebsd.pl > Am I Evil? Yes, I Am! http://cerber.sourceforge.net >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0401261517410.76985-100000>