Re: [ANN] unionfs patchset-13 release

From: André Braga <meianoite_at_gmail.com> Date: Wed, 31 May 2006 15:25:37 -0300 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:56 UTC

On 5/31/06, Alexander Leidinger <Alexander_at_leidinger.net> wrote:
> If everyone is happy with the current patchset (if the man-page is
> still missing, we may agree that it can be delivered at a later time),
> I can try to get time to do it at the weekend (but feel free to beat
> me in committing it).

Hello,
I haven't been able to test whether the new patchset handles the bug I
reported to Mr. Daichi Goto but so far haven't received a reply.
Perhaps my message got lost somewhere, so I thought it would be a good
idea to report this bug again. I diff'ed -p11 against -p12 (not yet
against -p13) but haven't been able to determine myself if this bug
got fixed. To foreign a code for me to understand as I have no
background on the inner workings of FreeBSD's VFS, so I can't realy
tell if the differences were sufficient to fix the bug.

Here's a reprint of my bug report when -p11 was the newest available version.

A post scriptum to the original message:
The buggy behaviour won't affect the host system, but the jail could
well be compromised. I also have this feeling that ACLs also aren't
respected inside jails or can be overwritten as easily as shown below

Thanks,
André

---------------------- 8< ----------------------

Hi,

Once again, thank you for your patch.

I believe I have found a bug:

If a file or directory has non-default flags and this directory is
mounted below a target point, the resulting union will not preserve
the directory flags. Worse, it will appear as if the file flags are
preserved, but they are not and as soon as a file that should not be
modified gets modified, the flags are reset to the default state on
the union mount. This could pose a *serious* security breach for
people running jails rooted on unionfs mounts, like I intended to.

Test case:
(discrepancies are marked by a line containing "**** NOTICE" and
aligned to fixed-length font display)

# cd /tmp
# mkdir -p test/a test/b/bb test/b/cc
# touch test/b/cc/dd
# chflags schg test/b/bb/
# chflags uappnd test/b/cc/dd
# ls -Rlo
total 2
drwxr-xr-x  4 root  wheel  - 512 Apr 29 08:12 test

./test:
total 4
drwxr-xr-x  2 root  wheel  - 512 Apr 29 08:12 a
drwxr-xr-x  4 root  wheel  - 512 Apr 29 08:12 b

./test/a:
total 0

./test/b:
total 4
drwxr-xr-x  2 root  wheel  schg 512 Apr 29 08:12 bb
**** NOTICE 1a             ^^^^    ****
drwxr-xr-x  2 root  wheel  -    512 Apr 29 08:12 cc

./test/b/bb:
total 0

./test/b/cc:
total 0
-rw-r--r--  1 root  wheel  uappnd 0 Apr 29 08:12 dd
**** NOTICE 2a             ^^^^^^    ****
# echo ee >test/b/cc/dd
test/b/cc/dd: Operation not permitted.
# echo ee >> test/b/cc/dd
**** NOTICE: this is the intended behavior for the 'uappnd' flag ****
# cat test/b/cc/dd
ee
#
# mount_unionfs -c transparent -b test/b test/a
# ls -Rlo
total 2
drwxr-xr-x  4 root  wheel  - 512 Apr 29 08:12 test

./test:
total 4
drwxr-xr-x  2 root  wheel  - 512 Apr 29 08:12 a
drwxr-xr-x  4 root  wheel  - 512 Apr 29 08:12 b

./test/a:
total 4
drwxr-xr-x  2 root  wheel  - 512 Apr 29 08:12 bb
**** NOTICE 1b            ^^^    ****
drwxr-xr-x  2 root  wheel  - 512 Apr 29 08:12 cc

./test/a/bb:
total 0

./test/a/cc:
total 2
-rw-r--r--  1 root  wheel  uappnd 3 Apr 29 08:15 dd
**** NOTICE 2b (LOOKS OK)  ^^^^^^    ****
./test/b:
total 4
drwxr-xr-x  2 root  wheel  schg 512 Apr 29 08:12 bb
drwxr-xr-x  2 root  wheel  -    512 Apr 29 08:12 cc

./test/b/bb:
total 0

./test/b/cc:
total 2
-rw-r--r--  1 root  wheel  uappnd 3 Apr 29 08:15 dd
# echo ff > test/a/cc/dd
# cat test/a/cc/dd
 ff
**** NOTICE: very wrong behavior for the 'uappnd' flag! ****
 # ls -lo test/a/cc/dd
-rw-r--r--  1 root  wheel  - 3 Apr 29 08:20 test/a/cc/dd
**** NOTICE 2c (NO FLAG!) ^^^    ****
# echo gg >test/b/cc/hh
# chflags schg test/b/cc/hh
# rm test/b/cc/hh
override rw-r--r--  root/wheel schg for test/b/cc/hh? yes
rm: test/b/cc/hh: Operation not permitted
**** NOTICE 3a    ^^^^^^^^^^^^^^^^^^^^^^^  ****
# ls -lo test/a/cc/hh
-rw-r--r--  1 root  wheel  schg 3 Apr 29 08:24 test/a/cc/hh
**** NOTICE 3b             ^^^^    ****
# rm test/a/cc/hh
override rw-r--r--  root/wheel schg for test/a/cc/hh? yes
**** NOTICE 3c (NO ERROR!)  ****
# ls -lo test/a/cc/
total 2
-rw-r--r--  1 root  wheel  - 3 Apr 29 08:20 dd
**** NOTICE 3d (the file is gone despite immutable flags seemingly set!)  ****

End of test case

It makes no difference to specify '-c tradicional'.

I skimmed over the patch code and have noticed no file flags or
director[y flags] are indeed [ever] copied to the shadow files.
[Edit: spelling]

I'd really appreciate if you could fix that for the patch version 12.

Thank you very much!
André