There's a bug in the NTFS code that lets the user specify file mode bits other than 0777 allowing for hijacking the file's type in strange ways. Fix: The attached patch performs the same masking as in sys/fs/msdosfs/msdosfs_vfsops.c It was successfully built and tested on 6.2-STABLE and known to patch against -CURRENT. Maybe we should patch mount_ntfs(8) too to remind the user that "only the nine low-order bits of mask are used", just as mount_msdosfs(8) does... Patch attached with submission follows: How-To-Repeat: $ id uid=501(ighighi) gid=501(ighighi) groups=501(ighighi),69(network) $ sysctl vfs.usermount vfs.usermount: 1 $ mkdir /tmp/mnt $ /sbin/mount_ntfs -o ro -m 010555 /dev/ad0s1 /tmp/mnt/ $ /bin/ls -l /tmp/mnt ?rwxr-xr-x 1 ighighi wheel 0 Apr 22 2009 /tmp/mnt $ /sbin/umount /tmp/mnt $ /sbin/mount_ntfs -o ro -m 020555 /dev/ad0s1 /tmp/mnt/ $ /bin/ls -l /tmp/mnt brwxr-xr-x 1 ighighi wheel 0, 0 Apr 22 2009 /tmp/mnt $ /sbin/umount /tmp/mnt $ /sbin/mount_ntfs -o ro -m 040555 /dev/ad0s1 /tmp/mnt/ $ /bin/ls -l /tmp/mnt total 425220 srwxr-xr-x 1 ighighi wheel 2560 Apr 22 2009 $AttrDef srwxr-xr-x 1 ighighi wheel 0 Apr 26 2006 $BadClus srwxr-xr-x 1 ighighi wheel 183248 Apr 22 2009 $Bitmap srwxr-xr-x 1 ighighi wheel 8192 Apr 26 2006 $Boot drwxr-xr-x 1 ighighi wheel 0 Apr 26 2006 $Extend srwxr-xr-x 1 ighighi wheel 32129024 Apr 26 2006 $LogFile srwxr-xr-x 1 ighighi wheel 4096 Apr 26 2006 $MFTMirr srwxr-xr-x 1 ighighi wheel 0 Apr 22 2009 $Secure srwxr-xr-x 1 ighighi wheel 131072 Apr 22 2009 $UpCase srwxr-xr-x 1 ighighi wheel 0 Apr 26 2006 $Volume srwxr-xr-x 1 ighighi wheel 0 Apr 26 2006 AUTOEXEC.BAT srwxr-xr-x 1 ighighi wheel 4952 Dec 22 2002 Bootfont.bin srwxr-xr-x 1 ighighi wheel 0 Apr 26 2006 CONFIG.SYS drwxr-xr-x 1 ighighi wheel 0 Jun 29 2006 Documents and Settings srwxr-xr-x 1 ighighi wheel 0 Apr 26 2006 IO.SYS srwxr-xr-x 1 ighighi wheel 0 Apr 26 2006 MSDOS.SYS drwxr-xr-x 1 ighighi wheel 0 Apr 27 2006 MSOCache srwxr-xr-x 1 ighighi wheel 47564 Aug 3 2004 NTDETECT.COM drwxr-xr-x 1 ighighi wheel 0 Jul 6 2006 RECYCLER drwxr-xr-x 1 ighighi wheel 0 Apr 26 2006 System Volume Information drwxr-xr-x 1 ighighi wheel 0 Feb 8 01:56 WINDOWS srwxr-xr-x 1 ighighi wheel 211 Apr 26 2006 boot.ini drwxr-xr-x 1 ighighi wheel 0 Dec 18 2006 cygwin srwxr-xr-x 1 ighighi wheel 250640 Aug 3 2004 ntldr srwxr-xr-x 1 ighighi wheel 402653184 Jul 22 23:56 pagefile.sys drwxr-xr-x 1 ighighi wheel 0 Dec 18 2006 rsyncd $ /sbin/umount /tmp/mnt $ /sbin/mount_ntfs -o ro -m 100555 /dev/ad0s1 /tmp/mnt/ $ /bin/ls -l /tmp/mnt srwxr-xr-x 1 ighighi wheel 0 Apr 22 2009 /tmp/mnt $ /sbin/umount /tmp/mnt $ /sbin/mount_ntfs -o ro -m 120555 /dev/ad0s1 /tmp/mnt/ $ /bin/ls -l /tmp/mnt wrwxr-xr-x 1 ighighi wheel 0 Apr 22 2009 /tmp/mnt $ /sbin/umount /tmp/mnt
Responsible Changed From-To: freebsd-bugs->freebsd-fs I think the FS list is a better place for this PR.
maxim 2007-11-17 17:05:01 UTC FreeBSD src repository Modified files: sbin/mount_ntfs mount_ntfs.8 sys/fs/ntfs ntfs_vfsops.c Log: o Mask maximum file permissions we get from mount_ntfs -m with ACCESSPERMS. Document in mount_ntfs(8) only the nine low-order bits of mask are used (taken from mount_msdosfs(8)). PR: kern/114856 Submitted by: Ighighi MFC after: 1 month Revision Changes Path 1.22 +4 -1 src/sbin/mount_ntfs/mount_ntfs.8 1.90 +2 -1 src/sys/fs/ntfs/ntfs_vfsops.c _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: open->closed Merged to RELENG_6 and RELENG_7.