Re: kern/29360: vfs.generic.usermount and mount(8) general questions

[Elad Efrat <elad%NetBSD.org@localhost>]

Hi,

I just came across this PR.

The check that a non-root user owns the mount-point directory was
introduced way before vfs.generic.usermount. In fact, it seems that it
actually removed the root check, and allowed non-root users to freely
mount file-systems:

    
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/kern/vfs_syscalls.c.diff?r1=1.42&r2=1.43&f=h

In other words, I don't see a direct relation between the two.

I believe your (the submitter's) suggestion makes a lot of sense: if
we only care about read access to the device file when mounting as a
non-root user, why should we care about more than write access (i.e.,
ownership) for the mount-point in the same scenario?

What I suggest is that since we already have a check to ensure the
user is allowed to mount a file-system, we should replace the
following code in kern/vfs_syscalls.c:

309: /*
310:  * If the user is not root, ensure that they own the directory
311:  * onto which we are attempting to mount.
312:  */
313: if ((error = VOP_GETATTR(vp, &va, l->l_cred)) != 0 ||
314:     (va.va_uid != kauth_cred_geteuid(l->l_cred) &&
315:     (error = kauth_authorize_generic(l->l_cred,
316:     KAUTH_GENERIC_ISSUSER, NULL)) != 0)) {
317:         return error;
318: }

With something like the following:

/* Ensure that the user can write to the mount-point. */
if ((error = VOP_ACCESS(vp, VWRITE, l->l_cred)) != 0)
    return error;

Does anyone see any drawbacks to this approach? If not, I'll change
the relevant code.

Thanks,

-e.