Bug 212861

Summary: [tmpfs] uchg files can be removed by root
Product: Base System Reporter: Enji Cooper <ngie>
Component: kernAssignee: freebsd-fs (Nobody) <fs>
Status: Closed FIXED    
Severity: Affects Some People CC: trasz
Priority: ---    
Version: CURRENT   
Hardware: Any   
OS: Any   

Description Enji Cooper freebsd_committer freebsd_triage 2016-09-20 17:48:48 UTC
This issue seems to be present on tmpfs, only (it always returns EPERM on UFS). Not sure about ZFS.

Found by contrib/netbsd-tests/fs/tmpfs/t_remove.sh .

The following command snippets demonstrate the repro:

Invariant tested with UFS:

$ touch /tmp/uchg.file
$ chflags uchg /tmp/uchg.file
$ rm -f /tmp/uchg.file
rm: /tmp/uchg.file: Operation not permitted
$ rm /tmp/uchg.file 
override rw-r--r--  ngie/wheel uchg for /tmp/uchg.file? y
rm: /tmp/uchg.file: Operation not permitted
$

Invariant tested with tmpfs:

$ mntpt=/tmp/tmpfs
$ mkdir $mntpt
$ sudo mount -t tmpfs tmpfs $mntpt
$ cd $mntpt
$ touch uchg.file; chflags uchg uchg.file
$ rm -f uchg.file 
rm: uchg.file: Operation not permitted
$ sudo rm -f uchg.file 
$ ls uchg.file 
ls: uchg.file: No such file or directory
$
Comment 1 Enji Cooper freebsd_committer freebsd_triage 2016-09-20 17:49:13 UTC
Sidenote:

$ uname -a
FreeBSD fbsd12 12.0-CURRENT FreeBSD 12.0-CURRENT #3 r305956: Sun Sep 18 21:40:02 PDT 2016     ngie@fbsd11:/usr/obj/usr/src/svn/sys/GENERIC-NODEBUG  amd64
Comment 2 Edward Tomasz Napierala freebsd_committer freebsd_triage 2016-09-22 09:43:24 UTC
Could you do the same "sudo" thing in the UFS case?
Comment 3 Enji Cooper freebsd_committer freebsd_triage 2016-10-13 06:47:18 UTC
(In reply to Edward Tomasz Napierala from comment #2)

Sure.

Oy.. this is amusing:

$ touch /tmp/uchg.file
$ chflags uchg /tmp/uchg.file
$ rm -f /tmp/uchg.file
rm: /tmp/uchg.file: Operation not permitted
$ sudo rm -f /tmp/uchg.file
$ rm /tmp/uchg.file
rm: /tmp/uchg.file: No such file or directory

This means that the test will at the very least need to be run by an unprivileged user... but why can root always remove the file..? Hmm..
Comment 4 commit-hook freebsd_committer freebsd_triage 2016-10-13 07:03:45 UTC
A commit references this bug:

Author: ngie
Date: Thu Oct 13 07:02:54 UTC 2016
New revision: 307190
URL: https://svnweb.freebsd.org/changeset/base/307190

Log:
  Skip :uchg on FreeBSD

  Unfortunately removing files with uchg set always succeeds with root on
  FreeBSD. Unfortunately running the test as an unprivileged user isn't doable
  because mounting tmpfs requires root

  PR:		212861
  Sponsored by:	Dell EMC Isilon

Changes:
  head/contrib/netbsd-tests/fs/tmpfs/t_remove.sh
Comment 5 commit-hook freebsd_committer freebsd_triage 2016-10-13 08:35:55 UTC
A commit references this bug:

Author: ngie
Date: Thu Oct 13 08:35:09 UTC 2016
New revision: 307205
URL: https://svnweb.freebsd.org/changeset/base/307205

Log:
  Change atf_skip call to atf_expect_fail to make it clear that a failure is
  expected

  MFC after:	2 weeks
  PR:		212861
  Suggested by:	jmmv
  Sponsored by:	Dell EMC Isilon

Changes:
  head/contrib/netbsd-tests/fs/tmpfs/t_remove.sh
Comment 6 commit-hook freebsd_committer freebsd_triage 2016-12-07 06:57:50 UTC
A commit references this bug:

Author: ngie
Date: Wed Dec  7 06:57:09 UTC 2016
New revision: 309668
URL: https://svnweb.freebsd.org/changeset/base/309668

Log:
  MFC r306030,r306031,r306033,r306036,r306038,r307190,r307196,r307204,r307205,r307701,r307702:

  r306030:

  Port vnode_leak_test:main to FreeBSD

  Use a simpler way of dumping kern.maxvnodes, i.e. `sysctl -n kern.maxvnodes`

  The awk filtering method employed in NetBSD doesn't work on FreeBSD

  r306031:

  Port contrib/netbsd-tests/fs/h_funcs.subr to FreeBSD

  Use kldstat -m to determine whether or not a filesystem is loaded. This works
  well with tmpfs, ufs, and zfs

  r306033:

  Port sizes_test and statvfs_test to FreeBSD

  Similar to r306030, use a simpler method for getting the value of
  `hw.pagesize`, i.e. `sysctl -n hw.pagesize`. The awk filtering method doesn't
  work on FreeBSD

  r306036:

  Port to mknod_test and readdir_test to FreeBSD

  The `mknod <file> p` command doesn't exist on FreeBSD, like on NetBSD. Use
  mkfifo instead to create named pipes (FIFOs).

  r306038:

  Port vnd_test to FreeBSD

  Use mdmfs/mdconfig instead of vndconfig/newfs. vndconfig doesn't exist on FreeBSD.

  TODO: need to parameterize out the md(4) device as it's currently hardcoded to "3"
  (in both the FreeBSD and NetBSD cases).

  r307190:

  Skip :uchg on FreeBSD

  Unfortunately removing files with uchg set always succeeds with root on
  FreeBSD. Unfortunately running the test as an unprivileged user isn't doable
  because mounting tmpfs requires root

  PR:		212861

  r307196:

  Port contrib/netbsd-tests/fs/tmpfs/h_tools.c to FreeBSD

  - Add inttypes.h #include for PRId64 macro
  - Use FreeBSD's copy of getfh(2), which doesn't include a `fh_size` parameter.
    Use sizeof(fhandle_t) instead as the size of fhp is always fixed as
    fhandle_t, unlike NetBSD's copy of fhp, which is void*.

  r307204:

  Expect :large to fail on FreeBSD

  FreeBSD doesn't appear to validate large -o size values like
  NetBSD does

  PR:		212862

  r307205:

  Change atf_skip call to atf_expect_fail to make it clear that a failure is
  expected

  PR:		212861
  Suggested by:	jmmv

  r307701:

  Expect tests/sys/fs/tmpfs/link_test:kqueue to fail

  It fails with: "dir/b did not receive NOTE_LINK"

  Also, add needed cleanup logic to cleanup the mountpoint after the fact

  PR:		213662

  r307702:

  Integrate contrib/netbsd-tests/fs/tmpfs into the FreeBSD test suite
  as tests/sys/fs

  These testcases exercise tmpfs support

Changes:
_U  stable/11/
  stable/11/contrib/netbsd-tests/fs/h_funcs.subr
  stable/11/contrib/netbsd-tests/fs/tmpfs/h_tools.c
  stable/11/contrib/netbsd-tests/fs/tmpfs/t_link.sh
  stable/11/contrib/netbsd-tests/fs/tmpfs/t_mknod.sh
  stable/11/contrib/netbsd-tests/fs/tmpfs/t_mount.sh
  stable/11/contrib/netbsd-tests/fs/tmpfs/t_readdir.sh
  stable/11/contrib/netbsd-tests/fs/tmpfs/t_remove.sh
  stable/11/contrib/netbsd-tests/fs/tmpfs/t_sizes.sh
  stable/11/contrib/netbsd-tests/fs/tmpfs/t_statvfs.sh
  stable/11/contrib/netbsd-tests/fs/tmpfs/t_vnd.sh
  stable/11/contrib/netbsd-tests/fs/tmpfs/t_vnode_leak.sh
  stable/11/etc/mtree/BSD.tests.dist
  stable/11/tests/sys/Makefile
  stable/11/tests/sys/fs/
Comment 7 commit-hook freebsd_committer freebsd_triage 2016-12-07 06:57:54 UTC
A commit references this bug:

Author: ngie
Date: Wed Dec  7 06:57:09 UTC 2016
New revision: 309668
URL: https://svnweb.freebsd.org/changeset/base/309668

Log:
  MFC r306030,r306031,r306033,r306036,r306038,r307190,r307196,r307204,r307205,r307701,r307702:

  r306030:

  Port vnode_leak_test:main to FreeBSD

  Use a simpler way of dumping kern.maxvnodes, i.e. `sysctl -n kern.maxvnodes`

  The awk filtering method employed in NetBSD doesn't work on FreeBSD

  r306031:

  Port contrib/netbsd-tests/fs/h_funcs.subr to FreeBSD

  Use kldstat -m to determine whether or not a filesystem is loaded. This works
  well with tmpfs, ufs, and zfs

  r306033:

  Port sizes_test and statvfs_test to FreeBSD

  Similar to r306030, use a simpler method for getting the value of
  `hw.pagesize`, i.e. `sysctl -n hw.pagesize`. The awk filtering method doesn't
  work on FreeBSD

  r306036:

  Port to mknod_test and readdir_test to FreeBSD

  The `mknod <file> p` command doesn't exist on FreeBSD, like on NetBSD. Use
  mkfifo instead to create named pipes (FIFOs).

  r306038:

  Port vnd_test to FreeBSD

  Use mdmfs/mdconfig instead of vndconfig/newfs. vndconfig doesn't exist on FreeBSD.

  TODO: need to parameterize out the md(4) device as it's currently hardcoded to "3"
  (in both the FreeBSD and NetBSD cases).

  r307190:

  Skip :uchg on FreeBSD

  Unfortunately removing files with uchg set always succeeds with root on
  FreeBSD. Unfortunately running the test as an unprivileged user isn't doable
  because mounting tmpfs requires root

  PR:		212861

  r307196:

  Port contrib/netbsd-tests/fs/tmpfs/h_tools.c to FreeBSD

  - Add inttypes.h #include for PRId64 macro
  - Use FreeBSD's copy of getfh(2), which doesn't include a `fh_size` parameter.
    Use sizeof(fhandle_t) instead as the size of fhp is always fixed as
    fhandle_t, unlike NetBSD's copy of fhp, which is void*.

  r307204:

  Expect :large to fail on FreeBSD

  FreeBSD doesn't appear to validate large -o size values like
  NetBSD does

  PR:		212862

  r307205:

  Change atf_skip call to atf_expect_fail to make it clear that a failure is
  expected

  PR:		212861
  Suggested by:	jmmv

  r307701:

  Expect tests/sys/fs/tmpfs/link_test:kqueue to fail

  It fails with: "dir/b did not receive NOTE_LINK"

  Also, add needed cleanup logic to cleanup the mountpoint after the fact

  PR:		213662

  r307702:

  Integrate contrib/netbsd-tests/fs/tmpfs into the FreeBSD test suite
  as tests/sys/fs

  These testcases exercise tmpfs support

Changes:
_U  stable/11/
  stable/11/contrib/netbsd-tests/fs/h_funcs.subr
  stable/11/contrib/netbsd-tests/fs/tmpfs/h_tools.c
  stable/11/contrib/netbsd-tests/fs/tmpfs/t_link.sh
  stable/11/contrib/netbsd-tests/fs/tmpfs/t_mknod.sh
  stable/11/contrib/netbsd-tests/fs/tmpfs/t_mount.sh
  stable/11/contrib/netbsd-tests/fs/tmpfs/t_readdir.sh
  stable/11/contrib/netbsd-tests/fs/tmpfs/t_remove.sh
  stable/11/contrib/netbsd-tests/fs/tmpfs/t_sizes.sh
  stable/11/contrib/netbsd-tests/fs/tmpfs/t_statvfs.sh
  stable/11/contrib/netbsd-tests/fs/tmpfs/t_vnd.sh
  stable/11/contrib/netbsd-tests/fs/tmpfs/t_vnode_leak.sh
  stable/11/etc/mtree/BSD.tests.dist
  stable/11/tests/sys/Makefile
  stable/11/tests/sys/fs/
Comment 8 commit-hook freebsd_committer freebsd_triage 2017-02-10 02:52:56 UTC
A commit references this bug:

Author: ngie
Date: Fri Feb 10 02:51:54 UTC 2017
New revision: 313514
URL: https://svnweb.freebsd.org/changeset/base/313514

Log:
  MFC r307190,r307196,r307204,r307205:

  r307190:

  Skip :uchg on FreeBSD

  Unfortunately removing files with uchg set always succeeds with root on
  FreeBSD. Unfortunately running the test as an unprivileged user isn't doable
  because mounting tmpfs requires root

  PR:		212861

  r307196:

  Port contrib/netbsd-tests/fs/tmpfs/h_tools.c to FreeBSD

  - Add inttypes.h #include for PRId64 macro
  - Use FreeBSD's copy of getfh(2), which doesn't include a `fh_size` parameter.
    Use sizeof(fhandle_t) instead as the size of fhp is always fixed as
    fhandle_t, unlike NetBSD's copy of fhp, which is void*.

  r307204:

  Expect :large to fail on FreeBSD

  FreeBSD doesn't appear to validate large -o size values like
  NetBSD does

  PR:		212862

  r307205:

  Change atf_skip call to atf_expect_fail to make it clear that a failure is
  expected

  PR:		212861
  Suggested by:	jmmv

Changes:
_U  stable/10/
  stable/10/contrib/netbsd-tests/fs/tmpfs/h_tools.c
  stable/10/contrib/netbsd-tests/fs/tmpfs/t_mount.sh
  stable/10/contrib/netbsd-tests/fs/tmpfs/t_remove.sh
Comment 9 commit-hook freebsd_committer freebsd_triage 2017-02-10 02:53:00 UTC
A commit references this bug:

Author: ngie
Date: Fri Feb 10 02:51:54 UTC 2017
New revision: 313514
URL: https://svnweb.freebsd.org/changeset/base/313514

Log:
  MFC r307190,r307196,r307204,r307205:

  r307190:

  Skip :uchg on FreeBSD

  Unfortunately removing files with uchg set always succeeds with root on
  FreeBSD. Unfortunately running the test as an unprivileged user isn't doable
  because mounting tmpfs requires root

  PR:		212861

  r307196:

  Port contrib/netbsd-tests/fs/tmpfs/h_tools.c to FreeBSD

  - Add inttypes.h #include for PRId64 macro
  - Use FreeBSD's copy of getfh(2), which doesn't include a `fh_size` parameter.
    Use sizeof(fhandle_t) instead as the size of fhp is always fixed as
    fhandle_t, unlike NetBSD's copy of fhp, which is void*.

  r307204:

  Expect :large to fail on FreeBSD

  FreeBSD doesn't appear to validate large -o size values like
  NetBSD does

  PR:		212862

  r307205:

  Change atf_skip call to atf_expect_fail to make it clear that a failure is
  expected

  PR:		212861
  Suggested by:	jmmv

Changes:
_U  stable/10/
  stable/10/contrib/netbsd-tests/fs/tmpfs/h_tools.c
  stable/10/contrib/netbsd-tests/fs/tmpfs/t_mount.sh
  stable/10/contrib/netbsd-tests/fs/tmpfs/t_remove.sh