automountd: crude attempt to drop privileges while executing map files
Needs ReviewPublic
Actions

Authored by kevans on Tue, Apr 28, 4:21 AM.

Details

Reviewers

des
markj
manu
rew

Summary

Executing configuration files in automountd(8) is a tradition inherited
from autofs of other systems, but the functionality unnecessarily
increases a system's exposure by doing so as root in all cases.

Drop privileges by default to the newly-created _automount user for all
of:

/etc/autofs/include*
/etc/autofs/special*
executable maps

An -S option is added to revert the new behavior, because while the
first two don't seem to require root in off-the-shelf configurations,
maps are a complete wildcard and harder to judge off-hand.

The primary goal is to limit the blast radius of possibly unexpected
side effects, as a lot of these things just want to talk over the
network and do text processing on the result.

Relnotes: yes ("Behavior change, automountd_flags += -S reverts")

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 72596
Build 69479: arc lint + arc unit

Event Timeline

kevans created this revision.Tue, Apr 28, 4:21 AM

Herald added subscribers: ziaee, imp. · View Herald TranscriptTue, Apr 28, 4:21 AM

kevans requested review of this revision.Tue, Apr 28, 4:21 AM

Harbormaster completed remote builds in B72596: Diff 176693.Tue, Apr 28, 4:21 AM

kevans added a parent revision: D56679: passwd: add an unprivileged user for automountd.Tue, Apr 28, 4:21 AM

kevans mentioned this in D46284: Add the ability have executable jail.conf.Tue, Apr 28, 6:41 PM

the special_media map requires root to work, for determining fstyp(8)

i'm guessing there'll be *some* existing configurations disrupted by this change

i doubt many people use autofs to automount media at the moment

not sure if the include_ldap map file which uses ldapsearch requires root to work or smb things

in general, this change looks good to me

I'll do some smoke tests later on and follow-up tonight

In D56680#1300109, @rew wrote:

the special_media map requires root to work, for determining fstyp(8)

This goes along with a question Mark asked in the review adding the user; for something like this, I would picture dropping the automount user into the operator group, for instance, on a case-by-case basis to provide it that access without elevating it all the way to root.

i'm guessing there'll be *some* existing configurations disrupted by this change

i doubt many people use autofs to automount media at the moment

It's still worth documenting known cases like that. I'd be surprised if it doesn't break *something*, but I have a suspicion it balances out. This review adds an -S flag to turn it off, perhaps we should start with -s to turn it on (in addition) and MFC that so that folks can try it, then flip the default.

not sure if the include_ldap map file which uses ldapsearch requires root to work or smb things

ldap configuration is typically world-readable, or you specify bind configuration via args.

in general, this change looks good to me

I'll do some smoke tests later on and follow-up tonight

Thanks!

minor doc suggestions

usr.sbin/autofs/auto_master.5
298–301	not an exact suggestion but maybe clarify that drop privileges means non-root or _automount user: by default, automountd(8) runs executable maps as non-root user but can be instructed..
usr.sbin/autofs/automountd.8
65–67	this is misleading as automount(8) parses the auto_master(5) configuration...and, i think, automount(8) is typically executed as root.. if I recall, `automount -LL` will actually run the executable maps as whatever user invokes automount(8) might should read something to the effect of: -S, run executable maps as root but i guess that assumes the user started automountd as root maybe that's a safe assumption?