Re: kern/29360: vfs.generic.usermount and mount(8) general questions

[Elad Efrat <elad%NetBSD.org@localhost>]

The following reply was made to PR kern/29360; it has been noted by GNATS.

From: Elad Efrat <elad%NetBSD.org@localhost>
To: gnats-bugs%netbsd.org@localhost, tech-kern%netbsd.org@localhost
Cc: 
Subject: Re: kern/29360: vfs.generic.usermount and mount(8) general questions
Date: Sun, 6 Sep 2009 02:01:44 -0400

 Hi,
 
 I just came across this PR.
 
 The check that a non-root user owns the mount-point directory was
 introduced way before vfs.generic.usermount. In fact, it seems that it
 actually removed the root check, and allowed non-root users to freely
 mount file-systems:
 
     
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/kern/vfs_syscalls.c.diff?r1=1.42&r2=1.43&f=h
 
 In other words, I don't see a direct relation between the two.
 
 I believe your (the submitter's) suggestion makes a lot of sense: if
 we only care about read access to the device file when mounting as a
 non-root user, why should we care about more than write access (i.e.,
 ownership) for the mount-point in the same scenario?
 
 What I suggest is that since we already have a check to ensure the
 user is allowed to mount a file-system, we should replace the
 following code in kern/vfs_syscalls.c:
 
 309: /*
 310:  * If the user is not root, ensure that they own the directory
 311:  * onto which we are attempting to mount.
 312:  */
 313: if ((error = VOP_GETATTR(vp, &va, l->l_cred)) != 0 ||
 314:     (va.va_uid != kauth_cred_geteuid(l->l_cred) &&
 315:     (error = kauth_authorize_generic(l->l_cred,
 316:     KAUTH_GENERIC_ISSUSER, NULL)) != 0)) {
 317:         return error;
 318: }
 
 With something like the following:
 
 /* Ensure that the user can write to the mount-point. */
 if ((error = VOP_ACCESS(vp, VWRITE, l->l_cred)) != 0)
     return error;
 
 Does anyone see any drawbacks to this approach? If not, I'll change
 the relevant code.
 
 Thanks,
 
 -e.