tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: puffs ignores filesystem permissions

On Mon Dec 20 2010 at 10:35:37 +0100, Geert Hendrickx wrote:
> Hi,
> it seems puffs, our userspace filesystem framework, has a serious
> security issue: it is completely ignoring filesystem permissions!
> This is on NetBSD 5.1:
>   # rump_tmpfs tmpfs /mnt
>   [ doesn't return, so switching to another terminal ]
>   # cp /etc/fstab /mnt
>   # chmod 700 /mnt
>   # chmod 600 /mnt/fstab
> --> now as a regular user:
>   % cat /mnt/fstab
>   [ works ]
> I can reproduce this issue with all puffs, rump and fuse filesystems
> (initially noticed it while testing fuse-encfs from pkgsrc).


First of all, puffs *cannot* ignore permissions, since the whole access
control policy is up to the server.  For some types of servers this
makes more sense than for others, and e.g. sshfs just does whatever is
allowed by the remote end for the user the sftp connection was made as.
rump servers use whatever policy the rump kernel uses (by default the
4.4BSD secmodel).

IIRC there is a bug in netbsd-5 rump which causes kauth to think no
security models are loaded (in which case kauth allows all operations).
I think there even is an open or pullup-pending PR about this.  Now,
at least I do not support rump from netbsd-5 since it was very very
experimental at the time of the branch.  Additionally, since you can use
rump from -current on netbsd-5, it would just be a lot of extra work,
and doubly so since there are no suitable tests for netbsd-5.

this is what happens on my machine:
pain-rustique:1:~> uname -a
NetBSD pain-rustique.localhost 5.1_RC4 NetBSD 5.1_RC4 (PAIN-RUSTIQUE) #1: Tue 
Oct 12 13:37:42 CEST 2010  
pooka%pain-rustique.localhost@localhost:/objs/kobj/PAIN-RUSTIQUE i386
pain-rustique:2:~> rump_tmpfs tmpfs /mnt
pain-rustique:3:~> cd /mnt
pain-rustique:4:/mnt> touch foo
pain-rustique:5:/mnt> chmod 0 foo
pain-rustique:6:/mnt> cat foo
cat: foo: Permission denied
pain-rustique:7:/mnt> sudo cat foo

I'm not sure if refuse implements access control.  At least I don't
remember implementing it.  If it doesn't, it's most likely not too
difficult to figure out how to do it in FUSE and add a mapping.

Generally speaking, we should have extensive tests for file system
permissions.  Not too long ago local file system access control was
broken in the -current kernel for quite some time ...

älä karot toivorikkauttas, kyl rätei ja lumpui piisaa

Home | Main Index | Thread Index | Old Index