Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.mira.net.au!news.netspace.net.au!news.melbpc.org.au!news.mel.connect.com.au!munnari.OZ.AU!news.ecn.uoknor.edu!feed1.news.erols.com!feeder.chicago.cic.net!chi-news.cic.net!207.33.1.6!news.he.net!pacifier!news.pacifier.com!deraadt From: deraadt@theos.com (Theo de Raadt) Newsgroups: comp.unix.bsd.misc,comp.unix.bsd.freebsd.misc Subject: Re: User mount possible? Date: 18 Jun 1997 13:24:43 GMT Organization: OpenBSD Lines: 57 Message-ID: <DERAADT.97Jun18072443@zeus.pacifier.com> References: <5nr27n$ees@vestein.arb-phys.uni-dortmund.de> <5nu2di$7o@xciv.demon.co.uk> <8767vgm5sw.fsf@devnull.ruhr.de> <5o2n4k$114@panix2.panix.com> <87rae1dkh7.fsf@devnull.ruhr.de> NNTP-Posting-Host: zeus.theos.com In-reply-to: Benedikt Stockebrand's message of Tue, 17 Jun 1997 20:48:20 GMT Xref: euryale.cc.adfa.oz.au comp.unix.bsd.misc:3590 comp.unix.bsd.freebsd.misc:43105 In article <87rae1dkh7.fsf@devnull.ruhr.de> Benedikt Stockebrand <benedikt@devnull.ruhr.de> writes: Ok, so I may have misread the man page. But anyway, there's definitely one option the (Open)BSD mount/fstab miss: Linux has a "NOUSER" flag for fstab that will disallow users to mount file systems with that option. Trying to make this work safely will open up a mighty can of worms. That's interesting. I'm going to think about this. It might be a nice combination for those places that still want to let users do some limited types of mounting. However we are going to retain our sysctl which prevents this at the kernel level, and we are going to default it to, er.. "prevent". OpenBSD has about 7500 lines of source related to mount and mount_<whatever_fs_you_care_about>. It's less than that, about 4700 lines. And a large portion of that lands in some mostly unused filesystem mount programs. Ah, I think you accidentally counted mountd ;-) Hmm, I might look at mount_portal for holes again. If you really want to make those setuid-proof you've got a bit of work ahead. Well, everything has to be made setuid-proof in any case. You have to be careful everywhere. It's just the nature of the systems programming environment. This isn't Multics. Anyone who really wants to allow users to mount file systems (like floppy disk) will be able to write a ten-line C wrapper to do exactly this. Well, at least anyone who has an idea about the security issues involved. Well, That's quite a large issue -- most will do it wrong, even if they are mostly aware. How do you think most of these bugs got into the system to begin with? Because people thought they knew all the security issues involved. But this is not an issue I can deal with. Documentation and re-training people is not my forte. So, sudo with a very careful wrapper is probably a good start; but as I said earlier I will take a look and see if adding a fstab flag is an easier and more complete solution to the problem. Sure, it can be done. The question is: Is it worth the trouble, like actually doing the work, debugging it, dealing with subsequent security alerts and SAs using old fstabs that miss the "nouser" flag? Hmm. -- This space not left unintentionally unblank. deraadt@openbsd.org www.OpenBSD.org -- We're fixing security problems so you can sleep at night. (If it wasn't so fascinating I might get some sleep myself...)