Re: jails and fusefs - D16371 question regarding unprivileged user
- In reply to: Harry Schmalzbauer : "Re: jails and fusefs - D16371 question regarding unprivileged user"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 05 Jan 2025 16:19:26 UTC
On Sun, Jan 5, 2025 at 5:47 AM Harry Schmalzbauer <freebsd@omnilan.de> wrote: > > On 2025-01-04 22:53, Alan Somers wrote: > > On Sat, Jan 4, 2025 at 2:39 PM Harry Schmalzbauer <freebsd@omnilan.de> wrote: > .... > >> For now I set the setuid bit to JAILROOT/bin/mount_fusefs. > >> > >> **This works fine** (signing in via RDP as unprivileged user (with > >> freerdp/remmina) allows me to access my shared remote-client directory > >> in the jailed XFCE4 session). > ... > > > > What is the value of enforce_statfs in your jail? It must be < 2 for > > mounting within the jail to work. > > Thanks for your help. The jail config is fine (enforce_statfs is set to > 1 in that case), like mentioned utilizing mount_fusefs(8) is working as > expected in my jail as long as the process invoking it is privileged. > > My issue is that vfs.usermount doesn't affect how mount requests from > jails are handled. > Even if setting vfs.usermount to 1 on my host would enable unprivileged > users in my jail to mount_fusefs(8), this setting has unwanted side > effects - I don't want users to mount anything on the host. > > *I don't know if it is intentional* that vfs.usermount is ignored for > jailed processes. > What we really would need is a jail-only setting allowing user mounts. > Global for all jails might be sufficient, since you have to selectively > allow.mount each fs-type separately. > Per jail would be the best implementation. > > Maybe I oversee any other security impact of allowing unprivileged > processes to mount from/inside jails!?! > > For my current use case, I could tolerate vfs.usermount affecting the > host security because no users other than the su(1)-permitted admin can > sign in. > But I'm not sure I can cope with the security implication having the > /sbin/mount_fusefs SUID permission bit set, which is my current solution > (which makes user-mounting RDPDR fusefs working!). > > Thanks, > -harry Looking through the code, I see that revision 7533652025eb80bc769f019ba6cb82c4f500443d is the first that ever allowed mounting from within a jail. But it only allowed mounting by jailed privileged users. There's no public record of the code review, so I don't know what was discussed. I'd be wary of granting extra privileges to jails, though. Jail security can be tricky. There are a number of ways, for example, for a jailed privileged user to collaborate with an unjailed unprivileged user in order to gain root outside of the jail. I will note that there's another option. mac(9) can choose to allow an operation that would otherwise be disallowed. So it would be possible to write a rule that would allow a user (perhaps a specific user, or all users, or a range, etc) to mount a file system. mac_bsdextended doesn't have that ability, but it could be added. mac_biba, mac_lowmac, and mac_mls all do. However, I don't know those well enough to write rules for them. You'll have to do some research there. Hope that helps, -Alan