Date: Thu, 11 Dec 2003 14:50:32 +0100 (CET) From: Pawel Jakub Dawidek <jules@garage.freebsd.pl> To: FreeBSD-gnats-submit@FreeBSD.org Cc: rwatson@FreeBSD.org Subject: kern/60149: Unmount operation is permitted inside jail. Message-ID: <20031211135032.A48643ABB53@milla.ask33.net> Resent-Message-ID: <200312111400.hBBE0WaH001729@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 60149
>Category: kern
>Synopsis: Unmount operation is permitted inside jail.
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Dec 11 06:00:32 PST 2003
>Closed-Date:
>Last-Modified:
>Originator: Pawel Jakub Dawidek <jules@garage.freebsd.pl>
>Release: FreeBSD 5.2-CURRENT, FreeBSD 4.x.
>Organization:
None
>Environment:
System: FreeBSD anger.hell.invalid 5.2-CURRENT FreeBSD 5.2-CURRENT #4: Mon Dec 8 15:41:20 CET 2003 root@anger.hell.invalid:/usr/obj/usr/src/sys/ANGER i386
>Description:
This possibility was originally reported by:
Dariusz Kowalski <darek@76.pl>
There is a missing check in unmount(2) system call.
Because of this jailed root is able to unmount any file system
(except root file system, because of different check).
Not sufficient check is here (/sys/kern/vfs_mount.c:1058):
if (mp->mnt_cred->cr_uid != td->td_ucred->cr_uid) {
error = suser(td);
if (error)
return (error);
}
We're missing suser() test for root in jail.
This bug also exists in FreeBSD 4.x:
if ((mp->mnt_stat.f_owner != p->p_ucred->cr_uid) &&
(error = suser(p))) {
vput(vp);
return (error);
}
For jailed root first check will fail, so whole 'if' will fail.
>How-To-Repeat:
# mdconfig -a -t malloc -s 1M -u 10
# newfs -O1 /dev/md10
# mkdir /mnt/test
# mount /dev/md10 /mnt/test
# jail / test 127.0.0.1 /sbin/umount /mnt/test
umount: retrying using path instead of file system ID
# mount | grep /mnt/test
Exit 1
>Fix:
This patch should fix this bug (against FreeBSD 5-CURRENT):
--[ start ]--
--- vfs_mount.c.orig Thu Dec 11 14:01:58 2003
+++ vfs_mount.c Thu Dec 11 14:38:45 2003
@@ -68,6 +68,7 @@
#include <sys/param.h>
#include <sys/conf.h>
#include <sys/cons.h>
+#include <sys/jail.h>
#include <sys/kernel.h>
#include <sys/linker.h>
#include <sys/mac.h>
@@ -1013,6 +1014,12 @@
struct mount *mp;
char *pathbuf;
int error, id0, id1;
+
+ /*
+ * Unmount operation is not permitted inside jail.
+ */
+ if (jailed(td->td_ucred))
+ return (EPERM);
pathbuf = malloc(MNAMELEN, M_TEMP, M_WAITOK);
error = copyinstr(uap->path, pathbuf, MNAMELEN, NULL);
--[ end ]--
And this one against FreeBSD 4.8 (not tested):
--[ start ]--
--- vfs_syscalls.c.orig Thu Dec 11 14:27:17 2003
+++ vfs_syscalls.c Thu Dec 11 14:28:36 2003
@@ -441,6 +441,12 @@
mp = vp->v_mount;
/*
+ * Unmount operation is not permitted inside jail.
+ */
+ if (p->p_prison != NULL)
+ return (EPERM);
+
+ /*
* Only root, or the user that did the original mount is
* permitted to unmount this filesystem.
*/
--[ end ]--
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031211135032.A48643ABB53>