devshr: security!

3 files changed, 45 insertions, 14 deletions

diff --git a/sys/man/3/shr b/sys/man/3/shr
index e395e2155..f7573f011 100644
--- a/sys/man/3/shr
+++ b/sys/man/3/shr
@@ -14,7 +14,9 @@ shr \- global mountpoints
 The
 .I shr
 device provides global mountpoints in the form of share directories
-where 9p services can be mounted and unmounted dynamically.
+where
+.IR 9P
+services can be mounted on.
 
 Effectively, it is a global mountpoint registry that is separate from
 private namespaces.
@@ -26,7 +28,7 @@ in the mount tree
 .BI #σ
 are the share mountpoints themselve and in the control tree
 .BI #σc
-share directories can be created or removed.
+share directories list the service files of the share.
 .PP
 To create a new share, create the directory
 .B #σc/myshare
@@ -37,13 +39,26 @@ and then write a text string (suitable for
 .IR strtoul ;
 see
 .IR atof (2))
-giving the file descriptor number of an open 9p service.  Any process
+giving the file descriptor number of an open
+.I 9P
+service.  Any process
 with the proper permission may then access
 .B #σ/myshare
-to use the service.
+on the mount tree.
 .PP
-Multiple services can be mounted under a share.  New services get
-mounted before old ones.  Removing the service file from a share
-removes the service as soon as the last reference goes away.
+The service file can be reopened and passed to
+.IR mount
+(see
+.IR bind(2))
+or added to another share.
+.PP
+Multiple services can be mounted under a share forming a union
+directory. New services get mounted before old ones.
+Removing the service file unmounts the service from the share.
+.PP
+Creating shares and mounts requires read-write access in the share
+directory. The special user
+.B none
+is prohibited from these operations.
 .SH SOURCE
 .B /sys/src/9/port/devshr.c
diff --git a/sys/src/9/boot/nusbrc b/sys/src/9/boot/nusbrc
index b94bd7472..04b783628 100644
--- a/sys/src/9/boot/nusbrc
+++ b/sys/src/9/boot/nusbrc
@@ -2,7 +2,7 @@
 
 if(! bind -a '#u' /dev)
 	exit
-mkdir '#σc/usb'
+mkdir -m 0700 '#σc/usb'
 if(! nusb/usbd)
 	exit
 
diff --git a/sys/src/9/port/devshr.c b/sys/src/9/port/devshr.c
index 90c6ad781..3aa604ea0 100644
--- a/sys/src/9/port/devshr.c
+++ b/sys/src/9/port/devshr.c
@@ -392,6 +392,8 @@ shropen(Chan *c, int omode)
 		devpermcheck(shr->owner, shr->perm, openmode(omode));
 		break;
 	case Qcmpt:
+		if(omode&OTRUNC)
+			error(Eexist);
 		shr = sch->shr;
 		mpt = sch->mpt;
 		devpermcheck(mpt->owner, mpt->perm, openmode(omode));
@@ -430,6 +432,12 @@ shrcreate(Chan *c, char *name, int omode, ulong perm)
 	default:
 		error(Enocreate);
 	case Qcroot:
+	case Qcshr:
+		if(strcmp(up->user, "none") == 0)
+			error(Eperm);
+	}
+	switch(sch->level){
+	case Qcroot:
 		if((perm & DMDIR) == 0 || openmode(omode) != OREAD)
 			error(Eperm);
 
@@ -461,11 +469,14 @@ shrcreate(Chan *c, char *name, int omode, ulong perm)
 		sch->shr = shr;
 		break;
 	case Qcshr:
-		shr = sch->shr;
-		devpermcheck(shr->owner, shr->perm, ORDWR);
 		if((perm & DMDIR) || openmode(omode) != OWRITE)
 			error(Eperm);
 
+		shr = sch->shr;
+		if(strcmp(shr->owner, eve) == 0 && !iseve())
+			error(Eperm);
+		devpermcheck(shr->owner, shr->perm, ORDWR);
+
 		h = &shr->umh;
 		wlock(&h->lock);
 		if(waserror()){
@@ -520,8 +531,16 @@ shrremove(Chan *c)
 	default:
 		error(Eperm);
 	case Qcshr:
+	case Qcmpt:
 		shr = sch->shr;
-		devpermcheck(shr->owner, shr->perm, ORDWR);
+		if(!iseve()){
+			if(strcmp(shr->owner, eve) == 0)
+				error(Eperm);
+			devpermcheck(shr->owner, shr->perm, ORDWR);
+		}
+	}
+	switch(sch->level){
+	case Qcshr:
 		h = &shr->umh;
 		qlock(&shrslk);
 		rlock(&h->lock);
@@ -541,8 +560,6 @@ shrremove(Chan *c)
 		qunlock(&shrslk);
 		break;
 	case Qcmpt:
-		shr = sch->shr;
-		devpermcheck(shr->owner, shr->perm, ORDWR);
 		mpt = sch->mpt;
 		m = &mpt->m;
 		h = &shr->umh;
@@ -630,7 +647,6 @@ shrwstat(Chan *c, uchar *dp, int n)
 		wunlock(&h->lock);
 		break;
 	}
-
 	return n;
 }