From nobody@FreeBSD.org  Fri Sep 21 15:51:31 2007
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 20EBA16A419
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 21 Sep 2007 15:51:31 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 0120E13C455
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 21 Sep 2007 15:51:31 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.1/8.14.1) with ESMTP id l8LFpUjJ024380
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 21 Sep 2007 15:51:30 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.1/8.14.1/Submit) id l8LFpU0r024379;
	Fri, 21 Sep 2007 15:51:30 GMT
	(envelope-from nobody)
Message-Id: <200709211551.l8LFpU0r024379@www.freebsd.org>
Date: Fri, 21 Sep 2007 15:51:30 GMT
From: Patrick Lamaiziere <patpr@davenulle.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: NTFS mount does not check that user has permissions on the device
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         116515
>Category:       kern
>Synopsis:       [ntfs] NTFS mount does not check that user has permissions on the device
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kevlo
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Sep 21 16:00:05 GMT 2007
>Closed-Date:    Sun Apr 08 15:15:07 UTC 2012
>Last-Modified:  Sun Apr 08 15:15:07 UTC 2012
>Originator:     Patrick Lamaiziere
>Release:        6.2-STABLE/i386
>Organization:
>Environment:
FreeBSD roxette.lamaiziere.net 6.2-STABLE FreeBSD 6.2-STABLE #2: Fri Sep 14 00:29:52 CEST 2007     patrick@roxette.lamaiziere.net:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
The NTFS file system does not check that the user has necessary
permissions on the device to mount it when vfs.usermount is set to "1". 

This problem allows any user to mount (and then to use) any ntfs file system, without any permission on the device. But only if vfs.usermount is set to "1".
I think this is a security issue...

In their vfs operation "mount", others file systems (ffs, msdosfs, udf, ext,...) check that user has necessary permissions on the device with a test.
But this test is missing in the NTFS file system.

The test looks like (see by example : sys/fs/msdosfs/msdosfs_vfsops.c at line 357.)

/*
 * If mount by non-root, then verify that user has necessary
 * permissions on the device.
 */
if (suser(td)) {
   accessmode = VREAD;
   if ((mp->mnt_flag & MNT_RDONLY) == 0)
     accessmode |= VWRITE;
     if ((error = VOP_ACCESS(devvp, accessmode, td->td_ucred, td))!= 0){
       vput(devvp);
       return (error);
     }
}

>How-To-Repeat:
Sample (/dev/ad0s2 is my NTFS/MS-Windows slice)
I am the user "toto".

$ sysctl vfs.usermount
vfs.usermount: 1
$ id
uid=1002(toto) gid=1004(toto) groups=1004(toto)
$ ls -l /dev/ad0s2
crw-r-----  1 root  operator    0,  96 12 sep 21:52 /dev/ad0s2

(user "toto" is not in the group operator and should not be allowed to mount the device)

$ mkdir /usr/home/toto/win
$ mount_ntfs /dev/ad0s2 /usr/home/toto/win
$ mount
/dev/ad0s3a on / (ufs, local)
devfs on /dev (devfs, local)
/dev/ad0s3e on /tmp (ufs, local, soft-updates)
/dev/ad0s3f on /usr (ufs, local, soft-updates)
/dev/ad0s3d on /var (ufs, local, soft-updates)
/dev/ad0s2 on /usr/home/toto/win (ntfs, local, nosuid, mounted by toto)

$ ls /usr/home/toto/win
$AttrDef*                       RECYCLER/
[...]
>Fix:
Verify in the mount operation of the NTFS file system that user has necessary permissions. File sys/fs/ntfs/ntfs_vfsops.c, function ntfs_mount()
 
The attached patch checks the permission. This is a merge with the file sys/fs/msdosfs/msdosfs_vfsops.c. 
It seems to work but i'm not sure if this is the good way to do this check.


Patch attached with submission follows:

--- sys/fs/ntfs/ntfs_vfsops.org	2007-09-14 00:13:35.000000000 +0200
+++ sys/fs/ntfs/ntfs_vfsops.c	2007-09-14 00:19:46.000000000 +0200
@@ -157,6 +157,7 @@ ntfs_mount ( 
 	struct vnode	*devvp;
 	struct nameidata ndp;
 	char *from;
+	mode_t accessmode;
 
 	if (vfs_filteropt(mp->mnt_optnew, ntfs_opts))
 		return (EINVAL);
@@ -198,6 +199,20 @@ ntfs_mount ( 
 		return (err);
 	}
 
+	/*
+	 * If mount by non-root, then verify that user has necessary
+	 * permissions on the device.
+	 */
+	if (suser(td)) {
+		accessmode = VREAD;
+		if ((mp->mnt_flag & MNT_RDONLY) == 0)
+			accessmode |= VWRITE;
+		if ((error = VOP_ACCESS(devvp, accessmode, td->td_ucred, td))!= 0){
+			vput(devvp);
+			return (error);
+		}
+	}
+
 	if (mp->mnt_flag & MNT_UPDATE) {
 #if 0
 		/*


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->remko 
Responsible-Changed-By: remko 
Responsible-Changed-When: Fri Sep 21 21:11:04 UTC 2007 
Responsible-Changed-Why:  
So, we discussed this on secteam, I will grab this ticket to keep the 
history intact (I dont really see the point for a PR at the moment, but 
that could just be me). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=116515 

From: Patrick Lamaiziere <patpr@davenulle.org>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/116515: [ntfs] NTFS mount does not check that user has
 permissions on the device
Date: Mon, 24 Sep 2007 01:26:15 +0200

 Hello,
 
 Well, it seems not clear if this is a bug or not. I don't find any
 documentation about the intented behavior of the vfs.usermount sysctl. 
 
 The problem is only : When vfs.usermount is set to "1", the file system
 must check the permissions of the user or not ? All the documents i can
 find about the use of this sysctl say "yes" and other file systems
 check the permissions. So why NTFS is an exception ?
 
 I check the code of OpenBSD, they fixed this problem on the revision
 1.7 of ntfs_vfsops.c (they use the kern.usermount sysctl)
 
 http://www.openbsd.org/cgi-bin/cvsweb/src/sys/ntfs/ntfs_vfsops.c.diff?r1=1.6&r2=1.7&f=h
 tinyurl : http://tinyurl.com/2ro27w
 
 I checked the code of NetBSD too but I not sure if they do this check.
 
 Regards.
Responsible-Changed-From-To: remko->rwatson 
Responsible-Changed-By: remko 
Responsible-Changed-When: Thu Feb 24 16:36:55 UTC 2011 
Responsible-Changed-Why:  
Robert, can you please have a look at whether this would 
be OK to do? I think it looks fine if we do it like this as 
in the ffs source: 

/* 
* If mount by non-root, then verify that user has necessary 
* permissions on the device. 
*/ 
accmode = VREAD; 
if ((mp->mnt_flag & MNT_RDONLY) == 0) 
accmode |= VWRITE; 
error = VOP_ACCESS(devvp, accmode, td->td_ucred, td); 
if (error) 
error = priv_check(td, PRIV_VFS_MOUNT_PERM); 
if (error) { 
vput(devvp); 
return (error); 
} 

If you think this is OK to do, please assign the PR back to me 
and I will do the work for it (would be difficult testing it 
beyond doing a testbuild). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=116515 
State-Changed-From-To: open->patched 
State-Changed-By: rwatson 
State-Changed-When: Sun Apr 8 11:55:42 UTC 2012 
State-Changed-Why:  
Transition to patched; r232099 appears to resolve this issue.  Please let 
me know when it is MFC'd to appropriate branches so that I can transition 
to closed. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=116515 
Responsible-Changed-From-To: rwatson->kevlo 
Responsible-Changed-By: rwatson 
Responsible-Changed-When: Sun Apr 8 11:56:45 UTC 2012 
Responsible-Changed-Why:  
Assign to kevlo as he has fixed it in HEAD. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=116515 
State-Changed-From-To: patched->closed 
State-Changed-By: kevlo 
State-Changed-When: Sun Apr 8 15:14:03 UTC 2012 
State-Changed-Why:  
The fix was MFC'd to stable/9 

http://www.freebsd.org/cgi/query-pr.cgi?pr=116515 
>Unformatted:
