mounting nullfs from the source directory that resides on filesystem that has nosuid option configured allows suid execution again explicitly mounting nullfs with nosuid disables it however, mount, in both cases shows that nosuid is set, when in reality it isn't
23:35,root@green:~# lh ping -r-sr-xr-x 1 root wheel 61K Oct 30 14:35 ping 23:35,root@green:~# mount_nullfs /root/ /mnt/ 23:35,root@green:~# mount | fgrep ' /mnt ' /root on /mnt (nullfs, local, noatime, nosuid, nfsv4acls) 23:35,root@green:~# su -fm nobody -c '/root/ping -o example.com' ping: socket ssend: Operation not permitted 23:35,root@green:~# su -fm nobody -c '/mnt/ping -o example.com' PING6(56=40+8+8 bytes) 2001:7d0:8437:1300:21e:bff:fea2:e000 --> 2606:2800:21f:cb07:6 820:80da:af6b:8b2c 16 bytes from 2606:2800:21f:cb07:6820:80da:af6b:8b2c, icmp_seq=0 hlim=55 time=92.991 ms --- example.com ping6 statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 92.991/92.991/92.991/0.000 ms 23:35,root@green:~#
This is purely a display issue, the nosuid flag is reported when it is not set and should be not shown then. https://reviews.freebsd.org/D48150
what about others, noexec and nosymfollow do it too? additionally, if src is updated, no options change in null. maybe it can't be done but it's confusing. eg fs becomes ro, is ro but doesn't show it's ro
this also confuses 100.chksetuid and 110.neggrpperm which now wrongly exclude fses from check list
(In reply to Sulev-Madis Silber from comment #3) Do you mean that the whole idea of copying the lower fs mnt_flags is not useful? I think that I would agree with such statement.
(In reply to Konstantin Belousov from comment #5) yes. it would confuse hell out of tools and users if some options appear to be configured and they are not. esp one that actually (try) to impose restrictions and are supposed to increase security, even if only a little bit i honestly believed that lower fs limits are respected. unsure, from manpage, such things aren't very clear too but what if it instead of lying of flags, it would actually use them? if you mount null from ro fs, it won't become rw suddenly (i actually tried it). perhaps this could be configured from somewhere i mean, nullfs is popular in jails and unsure which is better way for it to operate but it should behave consistently i wonder how many systems suddenly start reporting suid binaries from either periodic or from some other ids tools since mount output just lied. might actually have something there too. or just the fact that you think you have those options configured. exec and suid was not only allowed but nothing checked fses too since it's cheap and easy to check if fs even supports it i realize that this is maybe not that good practice but confusion is also bad and everyone is human. luckily i outright tested what i configured. i expected it to be nosuid, tried anyway, looked at mount, didn't get why it's still on
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=709989bab5d060763bb8fd8e75d33f8bd1d454ad commit 709989bab5d060763bb8fd8e75d33f8bd1d454ad Author: Konstantin Belousov <kib@FreeBSD.org> AuthorDate: 2024-12-19 22:14:20 +0000 Commit: Konstantin Belousov <kib@FreeBSD.org> CommitDate: 2024-12-20 15:58:29 +0000 nullfs: stop lying about mount flags in statfs(2) Flags should not propagate from the lower fs. Behavior for the upper fs is determined by flags from its mount point structure. When lower fs acts according to its mount configuration, it is reported up as VOP errors. PR: 283425 Reviewed by: markj Sponsored by: The FreeBSD Foundation MFC after: 1 week Differential revision: https://reviews.freebsd.org/D48150 sys/fs/nullfs/null_vfsops.c | 5 ----- 1 file changed, 5 deletions(-)
A commit in branch stable/14 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=57d12ea5c9b07a6407e3518aeb2383f29be727d2 commit 57d12ea5c9b07a6407e3518aeb2383f29be727d2 Author: Konstantin Belousov <kib@FreeBSD.org> AuthorDate: 2024-12-19 22:14:20 +0000 Commit: Konstantin Belousov <kib@FreeBSD.org> CommitDate: 2024-12-27 06:24:55 +0000 nullfs: stop lying about mount flags in statfs(2) PR: 283425 (cherry picked from commit 709989bab5d060763bb8fd8e75d33f8bd1d454ad) sys/fs/nullfs/null_vfsops.c | 5 ----- 1 file changed, 5 deletions(-)