Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 20 Jul 2003 09:37:03 -0700
From:      Gordon Tetlow <gordont@gnf.org>
To:        Ian Dowse <iedowse@maths.tcd.ie>
Cc:        arch@freebsd.org
Subject:   Re: *statfs exposure of file system IDs to non-root users
Message-ID:  <20030720163703.GF12996@roark.gnf.org>
In-Reply-To: <200307200306.aa17802@salmon.maths.tcd.ie>
References:  <200307200306.aa17802@salmon.maths.tcd.ie>
next in thread | previous in thread | raw e-mail | index | archive | help 

--14PCYtZiSn5RZRtk
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Jul 20, 2003 at 03:06:13AM +0100, Ian Dowse wrote:
>=20
> In changing umount(8) to use statfs(2), I just noticed that the
> various *statfs calls hide the filesystem IDs from non-root users:
>=20
> 	if (suser(td)) {
> 		bcopy(sp, &sb, sizeof(sb));
> 		sb.f_fsid.val[0] =3D sb.f_fsid.val[1] =3D 0;
> 		sp =3D &sb;
> 	}
>=20
> This was added in vfs_syscalls.c revision 1.61 (March 1997) and
> came from OpenBSD. I guess the reason was to hide information that
> gets used in NFS filehandles, but it doesn't do us any good now as
> you can get the real IDs from getfsstat() as a normal user. Being
> able to get and compare file system IDs is useful for umount, and
> umount can be used by non-root users when vfs.usermount is set.
>=20
> Is there a good reason not to delete this fsid hiding? I guess if
> we do want to keep the values used in NFS handles secret while still
> exposing useful IDs to userland, we could add a separate user-side
> fsid to struct mount and use that instead. The IDs for NFS need to
> be persistent across reboots, but the user ones don't. Note that
> NFS filesystems use a hidden generation number for each file too,
> so just knowing the filesystem ID isn't enough on its own to form
> a valid handle.

But it's that much less that an attacker needs to guess. Can you make
it so a non-root user falls back to the old umount method, thereby
not needing the fsid? I think if you have a hung remote NFS server,
root probably needs to step in to check on things.

-gordon

--14PCYtZiSn5RZRtk
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE/GsUvRu2t9DV9ZfsRAlGyAJ484MRfYlyjLo+WXfugVtxuEA1+eACfSMai
5MhYb0kL15SG94L7cEZ2deU=
=/Ml9
-----END PGP SIGNATURE-----

--14PCYtZiSn5RZRtk--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030720163703.GF12996>