Analysis of mounts/unmounts issues.
Pawel Jakub Dawidek
nick at garage.freebsd.pl
Sat Jan 31 05:30:37 PST 2004
On Tue, Jan 27, 2004 at 12:00:34AM +0100, Pawel Jakub Dawidek wrote:
+> This is a short analysis of mount(2)/unmount(2) problems related to
+> usermounts, unprivileged root and jails.
+>
+> I've found many issues related to this topic, here is a list of those issues:
+>
+> 1. Root from inside of jail is able to unmount _any_ file system
+> (except /) from even outside of jail.
+> 2. Even if security.bsd.suser is set to 0, root is able to unmount
+> file systems mounted by provileged root (except /).
+> 3. If usermount is set to 1, user from inside of jail is able to
+> mount file system (if support for required file system is
+> compiled in kernel of loaded as a kld module), but with
+> MNT_NOSUID and MNT_NODEV flags set.
+> Insufficient check is in two place: for normal mounts and
+> for mounts with MNT_UPDATE flag set.
+> 4. Let's assume that usermount is set to 1 and user mounts file system,
+> now we're setting usermount to 0 and user is still able to
+> unmount file system mounted by him previously.
+>
+> My fix deny any mounts/unmounts inside of jail and deny mounts/unmounts
+> for unprivileged root, because there is no chance to check if
+> security.bsd.suser was 0 or 1 while file system was mounted.
+> Patch is here:
+>
+> http://garage.freebsd.pl/patches/vfs_mount.c.2.patch
+>
+> Things to discuss.
+>
+> Should we permit mounts/unmounts inside of jail if usermount is set to 1?
+> Maybe there should be 'jailmount' variable to control this?
+>
+> Should we store in mount structure value of security.bsd.suser while
+> file system is mounted to permit unmount and mount with MNT_UPDATE flag set
+> operations for unprivileged root? This will give as a complete solution.
Ok, I got complete solution.
While I was looking on mksnap_ffs issue, I've found that we've MNT_USER
flag to mark file systems mounted by unprivileged users.
This flag is not used currently.
Patch is here:
http://garage.freebsd.pl/patches/mount.patch
Patch made use of MNT_USER flag, so if file system is mounted by unprivileged
root, it can be unmounted by him as well.
Mount(8) has been modified to print 'mounted by <user>' for unprivileged
root also.
--
Pawel Jakub Dawidek pawel at dawidek.net
UNIX Systems Programmer/Administrator http://garage.freebsd.pl
Am I Evil? Yes, I Am! http://cerber.sourceforge.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-fs/attachments/20040131/d100f189/attachment-0001.bin
More information about the freebsd-fs
mailing list