# Meanwhile in OpenBSD land.



## kpa (Jul 15, 2016)

https://marc.info/?l=openbsd-announce&m=146854517406640&w=2



> In addition to the patched bugs, several panics were discovered by NCC that
> can be triggered by root or users with the usermount option set. These bugs
> are not getting patched because we believe they are only the tip of the
> iceberg. The mount system call exposes too much code to userland to be
> ...



I have to give them credit for sticking to their own principles and practices. Removing usermount option would be highly controversial even here on FreeBSD and unthinkable on Linux.


----------



## Murph (Jul 15, 2016)

kpa said:


> I have to give them credit for sticking to their own principles and practices. Removing usermount option would be highly controversial even here on FreeBSD and unthinkable on Linux.



There's also a potentially paradoxical element to this.  Removing usermount to improve security could end up with the practical impact of making the systems involved less secure in the real world.  When you remove / block something like that which people have a use for, they won't just shrug it off and live without it, they will re-introduce the bad suid-root insecurities which were made obsolete by usermount.  Sure, the system as-shipped will be more secure, but the system as-deployed may be less secure in many cases.


----------



## Maxnix (Jul 15, 2016)

Seems, however, that this problem is not strictly related to usermount, but to tmpfs:
http://www.openwall.com/lists/oss-security/2016/07/14/5
https://cxsecurity.com/issue/WLB-2016070125
and since even root is involved, IMHO would seem more logical to fix problems with tmpfs, than getting rid of usermount (even if it has its security problems). 


Murph said:


> There's also a potentially paradoxical element to this.  Removing usermount to improve security could end up with the practical impact of making the systems involved less secure in the real world.  When you remove / block something like that which people have a use for, they won't just shrug it off and live without it, they will re-introduce the bad suid-root insecurities which were made obsolete by usermount.  Sure, the system as-shipped will be more secure, but the system as-deployed may be less secure in many cases.


Agree. However, as an alternative sudo(8) (or `doas`, perhaps) can be used
 to give unprivileged users selective mounting capabilities based on <FS type> AND <device> AND <mountpoint>. It's not very flexible, but it's doable at least.


----------



## kpa (Jul 15, 2016)

Maxnix said:


> Seems, however, that this problem is not strictly related to usermount, but to tmpfs:
> http://www.openwall.com/lists/oss-security/2016/07/14/5
> https://cxsecurity.com/issue/WLB-2016070125
> and since even root is involved, IMHO would seem more logical to fix problems with tmpfs, than getting rid of usermount (even if it has its security problems).
> ...



What you linked proves that the problem can be triggered by use of tmpfs but OpenBSD's own assessment says that the problem is larger and very likely is not limited to just that filesystem:



> These bugs
> are not getting patched because we believe they are only the tip of the
> iceberg. The mount system call exposes too much code to userland to be
> considered secure.


----------



## Murph (Jul 15, 2016)

Maxnix said:


> Agree. However, as an alternative sudo(8) (or `doas`, perhaps) can be used
> to give unprivileged users selective mounting capabilities based on <FS type> AND <device> AND <mountpoint>. It's not very flexible, but it's doable at least.



Indeed, yes, it doesn't actually force you into an insecure alternative.  The problem comes for people who are too lazy or have difficulty in implementing a reasonable alternative.  Hopefully the OpenBSD people will recognise that and include some reasonable examples of alternatives in their release notes and sudo/doas documentation.


----------



## ANOKNUSA (Jul 15, 2016)

Murph said:


> Indeed, yes, it doesn't actually force you into an insecure alternative. The problem comes for people who are too lazy or have difficulty in implementing a reasonable alternative.



Too true, but the weakest element in any artificial system is the human element. At least by eliminating a problem that is inherent in the system, the _illusion_ of security is diminished. It's one thing if everyone is confidently using a convenience believed to be secure, but which in fact contains a previously unknown security flaw. It's another thing entirely if someone is deliberately circumventing security for the sake of convenience. Human error is the cause of the insecurity in each case, but in the latter the danger is more easily recognizable and you know whom to hold responsible.


----------



## Maxnix (Jul 15, 2016)

kpa said:


> What you linked proves that the problem can be triggered by use of tmpfs but OpenBSD's own assessment says that the problem is larger and very likely is not limited to just that filesystem:


Sorry, I misunderstood the first post . Thank you for clarifying it.


----------



## ronaldlees (Jul 15, 2016)

Maxnix said:


> Sorry, I misunderstood the first post . Thank you for clarifying it.



I see you use a variant of the OpenBSD mascot as your avatar.  I hadn't been out to the OpenBSD.org site in quite a while.  Is it sleep deprivation due to working on Libressl?  Their mascot is starting to look like an old man!


----------



## Maxnix (Jul 15, 2016)

ronaldlees said:


> I see you use a variant of the OpenBSD mascot as your avatar.


Yup. I like Puffy.  My main OS is FreeBSD; however, I like OpenBSD and have great respect and admiration for the project, and its ideals and goals too. 



ronaldlees said:


> I hadn't been out to the OpenBSD.org site in quite a while.  Is it sleep deprivation due to working on Libressl?  Their mascot is starting to look like an old man!


Well, I don' know if Puffy himself is contributing to Libressl. Pheraps  his friend!  The "sleep deprived" Puffy you are referring to is the great Dr. W^X (inspired by Dr. Who, obviously* ). 
My avatar instead is taken from the cover of Absolute OpenBSD 2nd Edition**. 

*Seriously, no one can say they lack of fantasy for their artworks! 
**There, he seems so sweet and nice!... At least, until you notice the skulls next to him!


----------



## ronaldlees (Jul 16, 2016)

No, really, the mascot has quadruple sags under his eyelids.  I'll bet he's using a cane (but it ain't showing).   Cold all the time - can tell by the scarf.  Not a good sign.


----------



## Maxnix (Jul 18, 2016)

ronaldlees said:


> No, really, the mascot has quadruple sags under his eyelids.  I'll bet he's using a cane (but it ain't showing).   Cold all the time - can tell by the scarf.  Not a good sign.


Naah, that is just a variant.  Probably we'll see the good old Puffy in all his splendor with the next release!


----------



## Murph (Jul 18, 2016)

ronaldlees said:


> No, really, the mascot has quadruple sags under his eyelids.  I'll bet he's using a cane (but it ain't showing).   Cold all the time - can tell by the scarf.  Not a good sign.



I believe those lines are probably Tom Baker's, rather than Puffy's.  If you look at photos of him over the years, his face became progressively craggy from approx. 1980 onwards (his tenure ended in 1981).


----------



## tobik@ (Jul 18, 2016)

Maxnix said:


> Naah, that is just a variant.  Probably we'll see the good old Puffy in all his splendor with the next release!


Exactly, let's not forget that Doctor W^X can regenerate like all good 64-bit time lords. I hear this happens every 6 months.


----------



## RichardET (Jul 26, 2016)

kpa said:


> https://marc.info/?l=openbsd-announce&m=146854517406640&w=2
> 
> 
> 
> I have to give them credit for sticking to their own principles and practices. Removing usermount option would be highly controversial even here on FreeBSD and unthinkable on Linux.



Removing the user mount feature kinda limits a desktop system....but I do tend to agree with their desire to remove the Linux layer.  I never understood that anyway;  just run Linux in a VM.


----------



## tobik@ (Jul 26, 2016)

RichardET said:


> Removing the user mount feature kinda limits a desktop system....


How so?


----------



## RichardET (Jul 26, 2016)

I like simple ease of use;


----------



## ANOKNUSA (Jul 26, 2016)

RichardET said:


> I like simple ease of use;



So does the stranger breaking into your system. In any case, there's not much practical difference between allowing a regular user to manually mount a disk without a password, and configuring devd(8) to automatically mount that disk when it's attached. The latter is what people tend to expect from a desktop system, and can be configured on a per-user basis.


----------

