[HEADSUP] Disallowing read() of a directory fd

Poul-Henning Kamp phk at phk.freebsd.dk
Fri May 15 07:51:47 UTC 2020 

--------
In message <CACNAnaFDHMkConkBLY-2BMAudueDA8-HTJ5_FNpt4WrB=gg_HA at mail.gmail.com>
, Kyle Evans writes:
>On Thu, May 14, 2020 at 3:30 PM Poul-Henning Kamp <phk at phk.freebsd.dk> wrote:

>Can we explore the possibility of using fsdb(8) to fulfill these needs
>in a way that you'd be comfortable with?

First, I am perfectly comfortable with fsdb(8), but in both the two
scenarios it was much less timeconsuming to do:

	strings < /some/directory | head

Which immediately gives you the first filenames in the directory,
without waiting for ls(1) to read the entire directory, which in
this case was well north of 100MB.

In the other case

	hexdump -C < /some/directory | grep part_of_suspect_filename

gave me the answer faster than I could have started fsdb, it gave
me the answer in convenient hexadecimal, and besides it was not 
a UFS filesystem.

Second, one of the major reasons, probably about 3/4 of the total
reason I ended up in FreeBSD, was because of some utterly shit
experiences with commercial operating systems, where I had been in
a tight corner at 00-dark o'clock, and run straight into something
some idiot of at the vendor thought root should not be able to do
"for their own safety".

This change falls right into that category:  If root wants to hexdump
a directory, an entire bloody disk, or even if root wants to go
and do binary surgery on a mounted file system with a hex-editor,
root should be able to do that.

She may have to `sysctl kern.warranty_voided=999` first, to disable
*under normal circumstances* reasonable and sensible protections.

I'm perfectly fine with that:  We do not want to make being root a
minefield, and I myself put the ability to munge mounted filesystems
under such a interlock in GEOM.

But we should not make it *impossible* to do these things, and in
particular, we should not make them require a reboot, because ten
times out of nine, when you find yourself doing this kind of shit,
it is usually because you're pretty sure everything is lost if you
reboot.

Summary:  I'm perfectly fine with read(2) returning error on a
directory *under normal circumstances*, and I think it makes good
sense by protecting a lot of terminals from a lot of binary
garbage.

But there is absolutely no reason to make it *impossible* for
a competent root to do what competent roots do.


-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.

More information about the freebsd-hackers mailing list