[HEADSUP] Disallowing read() of a directory fd
Cy Schubert
Cy.Schubert at cschubert.com
Fri May 15 21:22:52 UTC 2020
In message <35501.1589529102 at critter.freebsd.dk>, "Poul-Henning Kamp"
writes:
> --------
> In message <CACNAnaFDHMkConkBLY-2BMAudueDA8-HTJ5_FNpt4WrB=gg_HA at mail.gmail.co
> m>
> , Kyle Evans writes:
> >On Thu, May 14, 2020 at 3:30 PM Poul-Henning Kamp <phk at phk.freebsd.dk> wrote
> :
>
> >Can we explore the possibility of using fsdb(8) to fulfill these needs
> >in a way that you'd be comfortable with?
>
> First, I am perfectly comfortable with fsdb(8), but in both the two
> scenarios it was much less timeconsuming to do:
>
> strings < /some/directory | head
>
> Which immediately gives you the first filenames in the directory,
> without waiting for ls(1) to read the entire directory, which in
> this case was well north of 100MB.
>
> In the other case
>
> hexdump -C < /some/directory | grep part_of_suspect_filename
>
> gave me the answer faster than I could have started fsdb, it gave
> me the answer in convenient hexadecimal, and besides it was not
> a UFS filesystem.
>
> Second, one of the major reasons, probably about 3/4 of the total
> reason I ended up in FreeBSD, was because of some utterly shit
> experiences with commercial operating systems, where I had been in
> a tight corner at 00-dark o'clock, and run straight into something
> some idiot of at the vendor thought root should not be able to do
> "for their own safety".
>
> This change falls right into that category: If root wants to hexdump
> a directory, an entire bloody disk, or even if root wants to go
> and do binary surgery on a mounted file system with a hex-editor,
> root should be able to do that.
>
> She may have to `sysctl kern.warranty_voided=999` first, to disable
> *under normal circumstances* reasonable and sensible protections.
>
> I'm perfectly fine with that: We do not want to make being root a
> minefield, and I myself put the ability to munge mounted filesystems
> under such a interlock in GEOM.
>
> But we should not make it *impossible* to do these things, and in
> particular, we should not make them require a reboot, because ten
> times out of nine, when you find yourself doing this kind of shit,
> it is usually because you're pretty sure everything is lost if you
> reboot.
>
> Summary: I'm perfectly fine with read(2) returning error on a
> directory *under normal circumstances*, and I think it makes good
> sense by protecting a lot of terminals from a lot of binary
> garbage.
>
> But there is absolutely no reason to make it *impossible* for
> a competent root to do what competent roots do.
A kern.geom.debugflags-like thing might help but the complexity the code
remains. Kyle's patch reduces complexity to a degree. A debugflags sysctl
won't, it will add a little complexity.
--
Cheers,
Cy Schubert <Cy.Schubert at cschubert.com>
FreeBSD UNIX: <cy at FreeBSD.org> Web: https://FreeBSD.org
NTP: <cy at nwtime.org> Web: https://nwtime.org
The need of the many outweighs the greed of the few.
More information about the freebsd-arch
mailing list