From nick@milla.ask33.net  Thu Dec 11 05:51:19 2003
Return-Path: <nick@milla.ask33.net>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 7B97616A4D1; Thu, 11 Dec 2003 05:49:59 -0800 (PST)
Received: from milla.ask33.net (milla.ask33.net [217.197.166.60])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id AD45943D3A; Thu, 11 Dec 2003 05:49:49 -0800 (PST)
	(envelope-from nick@milla.ask33.net)
Received: by milla.ask33.net (Postfix, from userid 1001)
	id A48643ABB53; Thu, 11 Dec 2003 14:50:32 +0100 (CET)
Message-Id: <20031211135032.A48643ABB53@milla.ask33.net>
Date: Thu, 11 Dec 2003 14:50:32 +0100 (CET)
From: Pawel Jakub Dawidek <jules@garage.freebsd.pl>
Reply-To: Pawel Jakub Dawidek <jules@garage.freebsd.pl>
To: FreeBSD-gnats-submit@freebsd.org
Cc: nectar@freebsd.org, rwatson@freebsd.org
Subject: Unmount operation is permitted inside jail.
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         60149
>Category:       kern
>Synopsis:       Unmount operation is permitted inside jail.
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    rwatson
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Dec 11 06:00:32 PST 2003
>Closed-Date:    Fri Feb 20 04:04:56 PST 2004
>Last-Modified:  Sat Feb 21 05:33:29 PST 2004
>Originator:     Pawel Jakub Dawidek <jules@garage.freebsd.pl>
>Release:        FreeBSD 5.2-CURRENT, FreeBSD 4.x.
>Organization:
None
>Environment:
System: FreeBSD anger.hell.invalid 5.2-CURRENT FreeBSD 5.2-CURRENT #4: Mon Dec 8 15:41:20 CET 2003 root@anger.hell.invalid:/usr/obj/usr/src/sys/ANGER i386

>Description:
	This possibility was originally reported by:
		Dariusz Kowalski <darek@76.pl>

	There is a missing check in unmount(2) system call.
	Because of this jailed root is able to unmount any file system
	(except root file system, because of different check).

	Not sufficient check is here (/sys/kern/vfs_mount.c:1058):

	if (mp->mnt_cred->cr_uid != td->td_ucred->cr_uid) {
		error = suser(td);
		if (error)
			return (error);
	}

	We're missing suser() test for root in jail.

	This bug also exists in FreeBSD 4.x:

	if ((mp->mnt_stat.f_owner != p->p_ucred->cr_uid) &&
	    (error = suser(p))) {
		vput(vp);
		return (error);
	}

	For jailed root first check will fail, so whole 'if' will fail.

>How-To-Repeat:
	# mdconfig -a -t malloc -s 1M -u 10
	# newfs -O1 /dev/md10
	# mkdir /mnt/test
	# mount /dev/md10 /mnt/test
	# jail / test 127.0.0.1 /sbin/umount /mnt/test
	umount: retrying using path instead of file system ID
	# mount | grep /mnt/test
	Exit 1
>Fix:
	This patch should fix this bug (against FreeBSD 5-CURRENT):

	--[ start ]--
--- vfs_mount.c.orig	Thu Dec 11 14:01:58 2003
+++ vfs_mount.c	Thu Dec 11 14:38:45 2003
@@ -68,6 +68,7 @@
 #include <sys/param.h>
 #include <sys/conf.h>
 #include <sys/cons.h>
+#include <sys/jail.h>
 #include <sys/kernel.h>
 #include <sys/linker.h>
 #include <sys/mac.h>
@@ -1013,6 +1014,12 @@
 	struct mount *mp;
 	char *pathbuf;
 	int error, id0, id1;
+
+	/*
+	 * Unmount operation is not permitted inside jail.
+	 */
+	if (jailed(td->td_ucred))
+		return (EPERM);
 
 	pathbuf = malloc(MNAMELEN, M_TEMP, M_WAITOK);
 	error = copyinstr(uap->path, pathbuf, MNAMELEN, NULL);
	--[ end ]--

	And this one against FreeBSD 4.8 (not tested):

	--[ start ]--
--- vfs_syscalls.c.orig	Thu Dec 11 14:27:17 2003
+++ vfs_syscalls.c	Thu Dec 11 14:28:36 2003
@@ -441,6 +441,12 @@
 	mp = vp->v_mount;
 
 	/*
+	 * Unmount operation is not permitted inside jail.
+	 */
+	if (p->p_prison != NULL)
+		return (EPERM);
+
+	/*
 	 * Only root, or the user that did the original mount is
 	 * permitted to unmount this filesystem.
 	 */
	--[ end ]--
>Release-Note:
>Audit-Trail:

From: Uwe Doering <gemini@geminix.org>
To: FreeBSD-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: kern/60149: Unmount operation is permitted inside jail.
Date: Fri, 12 Dec 2003 17:20:09 +0100

 This is a multi-part message in MIME format.
 --------------050401040700010009000500
 Content-Type: text/plain; charset=us-ascii; format=flowed
 Content-Transfer-Encoding: 7bit
 
 Pawel Jakub Dawidek wrote:
 >>Fix:
 > [...]
 > 	And this one against FreeBSD 4.8 (not tested):
 > [...]
 
 I suggest to use the attached patch, at least for 4.x.  It is tested and 
 more in line with mount()'s permission checking semantics.  Or in case 
 this approach (relying on 'vfs.usermount') is considered insufficient 
 for jails, mount() should be fixed as well.
 
     Uwe
 -- 
 Uwe Doering         |  EscapeBox - Managed On-Demand UNIX Servers
 gemini@geminix.org  |  http://www.escapebox.net
 
 --------------050401040700010009000500
 Content-Type: text/plain;
  name="vfs_syscalls.c.diff"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline;
  filename="vfs_syscalls.c.diff"
 
 --- src/sys/kern/vfs_syscalls.c.orig	Sun Jan 26 11:33:05 2003
 +++ src/sys/kern/vfs_syscalls.c	Fri Dec 12 11:51:46 2003
 @@ -444,7 +444,7 @@
  	 * Only root, or the user that did the original mount is
  	 * permitted to unmount this filesystem.
  	 */
 -	if ((mp->mnt_stat.f_owner != p->p_ucred->cr_uid) &&
 +	if ((usermount == 0 || mp->mnt_stat.f_owner != p->p_ucred->cr_uid) &&
  	    (error = suser(p))) {
  		vput(vp);
  		return (error);
 
 --------------050401040700010009000500--
 
Responsible-Changed-From-To: freebsd-bugs->rwatson 
Responsible-Changed-By: rwatson 
Responsible-Changed-When: Sat Jan 10 18:10:28 PST 2004 
Responsible-Changed-Why:  
I'll grab ownership of this, thanks! 


http://www.freebsd.org/cgi/query-pr.cgi?pr=60149 
State-Changed-From-To: open->closed 
State-Changed-By: pjd 
State-Changed-When: Fri Feb 20 04:04:03 PST 2004
State-Changed-Why:  
Fixed, thank you, Pawel:) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=60149 
>Unformatted:
