Bug 22142

Summary: securelevel does not affect mount
Product: Base System Reporter: patrick <patrick>
Component: kernAssignee: Mark Linimon <linimon>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Unspecified   
Hardware: Any   
OS: Any   

Description patrick 2000-10-20 07:20:01 UTC 
Securelevel should be able to restrict mounting/remounting of filesystems
if raised above a certain level in order to secure ro-mounted filesystems

Fix: #in function mount and unmount in vfs_syscalls:
#



+       if (securelevel > 1)
+               return EPERM;
+
        if (usermount == 0 && (error = suser(p)))
                return (error);
        /*
@@ -410,6 +413,9 @@
        struct mount *mp;
        int error;
        struct nameidata nd;
+
+       if (securelevel > 1)
+               return EPERM;

        NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_USERSPACE,
            SCARG(uap, path), p);--WevsbWdK0Z5h5Z4QM29LIEgLwK5zn2efTUgFxAMKVxDR4MiV
Content-Type: text/plain; name="file.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="file.diff"

--- kern/vfs_syscalls.c.orig    Thu Sep 28 23:22:42 2000
+++ kern/vfs_syscalls.c Thu Sep 28 23:28:54 2000
@@ -120,6 +120,9 @@
        struct nameidata nd;
        char fstypename[MFSNAMELEN];
How-To-Repeat: increase securelevel to any value, remount any fs ro->rw works
Comment 1 Johan Karlsson freebsd_committer freebsd_triage 2002-08-23 02:41:46 UTC 
Responsible Changed
From-To: freebsd-bugs->freebsd-security

Lets get -security's opinion about this.
Comment 2 Johan Karlsson freebsd_committer freebsd_triage 2002-08-23 14:35:07 UTC 
Attach to audit-trail.

----- Forwarded message from Lupe Christoph <lupe@lupe-christoph.de> -----

From: lupe@lupe-christoph.de (Lupe Christoph)
To: Jan Srzednicki <winfried@student.uci.agh.edu.pl>
Cc: Johan Karlsson <johan@FreeBSD.org>, freebsd-bugs@FreeBSD.org,
   freebsd-security@FreeBSD.org
Subject: Re: kern/22142: securelevel does not affect mount
Date: Fri, 23 Aug 2002 12:24:02 +0200

On Friday, 2002-08-23 at 09:43:15 +0200, Jan Srzednicki wrote:
> On Thu, 22 Aug 2002, Johan Karlsson wrote:

> > Synopsis: securelevel does not affect mount

> > Responsible-Changed-From-To: freebsd-bugs->freebsd-security
> > Responsible-Changed-By: johan
> > Responsible-Changed-When: Thu Aug 22 18:41:46 PDT 2002
> > Responsible-Changed-Why:
> > 	Lets get -security's opinion about this.

> > http://www.freebsd.org/cgi/query-pr.cgi?pr=22142

> I'm afraid changin securelevel's behaviour would break some system schemes
> out there, which is rather unwanted thing for -STABLE. One thing we can do
> is to wait for MACs in -CURRENT. Maybe a better solution is to add another
> sysctl just form mount? Like kern.mount_disabled, which, when set to 1,
> cannot be reverted back.

It would break my system disk cloning scheme. Currently I mount the
cloning targets, rsync the live copy, and umount the clones. That way,
they will not need fsck'ing when I need them. NO big thing, though.
But on a different (Linux) machine, I write dumps to a Zip drive.
The medium is umounted and ejected when it's full, to be replaced
by the alternate medium.

So I agree a finer grained control is need. Preferably even tunable
per device, allowing the Zip drive to be mounted/umounted, but no other
device.

I haven't looked at -CURRENT at all. How fine grained are those MACs?
(Excuse me for not having the time right now to read up on them.)

Lupe Christoph
-- 
| lupe@lupe-christoph.de       |           http://www.lupe-christoph.de/ |
| Big Misunderstandings #6398: The Titanic was not supposed to be        |
| unsinkable. The designer had a speech impediment. He said: "I have     |
| thith great unthinkable conthept ..."                                  |

----- End forwarded message -----

-- 
Johan Karlsson		mailto:johan@FreeBSD.org
Comment 3 Johan Karlsson freebsd_committer freebsd_triage 2002-08-25 03:04:48 UTC 
Responsible Changed
From-To: freebsd-security->security

Use short names for mailing list to make searches    
using the web query form work with the shown responsible. 

This also makes open PR show up in the summery mail.
Comment 4 Crist J. Clark freebsd_committer freebsd_triage 2002-08-25 08:02:34 UTC 
Responsible Changed
From-To: security->cjc

I'll take it for two reasons: 

1) I went through this same discussion some time ago. I'll look at a 
new knob or kernel config setting to enable this behavior. 

2) Please do not assign PRs to "security" or "freebsd-security." 
Freebsd-security gets PR summaries because of a bug (and I just sent 
peter a patch to fix it). Yes, some lists for developers can be 
assigned PRs, but freebsd-security is not a developers list. It serves 
a wider audience. And the SNR is low enough without lots of PR 
threads. If you want to CC or forward a PR to freebsd-security, OK, 
but don't assign it to the list. If you want to assign 
security-related PRs to a group of developers, assign them to 
security-officer.
Comment 5 Mark Linimon freebsd_committer freebsd_triage 2006-04-03 02:29:28 UTC 
State Changed
From-To: open->feedback

Is this still a problem in current versions on FreeBSD?
Comment 6 Mark Linimon freebsd_committer freebsd_triage 2006-04-03 02:29:28 UTC 
Responsible Changed
From-To: cjc->linimon

Reset PR assigned to inactive committer who has not responded to email.
Comment 7 Mark Linimon freebsd_committer freebsd_triage 2006-06-18 22:16:10 UTC 
State Changed
From-To: feedback->closed

Feedback timeout (> 2 months).