Hi Rafael,

On Sat, Jul 19, 2025 at 08:17:43AM +0200, Rafael Sadowski wrote:
> On Wed Jul 16, 2025 at 04:20:43AM -0300, Crystal Kolipe wrote:
> > Currently, an mfs filesystem always inherits the permissions of it's mount
> > point.
> > 
> > This behaviour necessarily differs from disk-based filesystems, since mfs is
> > volatile.
> > 
> > The problem is that a common use of mfs is for mounting on /tmp, and this
> > requires 01777 permissions for correct operation.
> > 
> > So 'solve' this problem, users commonly chmod the /tmp directory on the root
> > filesystem to 01777, which is a bad thing to do because if for some reason the
> > mfs filesystem fails to mount or is later unmounted, it will leave a
> > world-writable directory on /.
> > 
> > This could be used by a malicious user to create hard links to various files
> > in /etc or elsewhere where they are not desired.
> > 
> > To avoid this, let's teach mount_mfs to accept an optional -p parameter to
> > specify the required permissions _after_ the mfs filesystem is mounted.
> > 
> > Note, the -p option was previously used in historical versions of newfs to
> > indicate a number of reserved sectors for each track.  This was removed from
> > OpenBSD in 2007, and since the new -p option is only valid for mount_mfs and
> > not newfs, it seems reasonable to re-use it.  The more obvious -m option as
> > used by mount_tmpfs is already in use in mount_mfs and newfs.
> 
> I agree and your suggestion mitigates the problem and opens up
> the right options from my point of view.
> 
> I have some comments on the diff including a new proposal
> (slightly modified based on your diff).

OK for the code changes.

I think the manual page needs an extra clarification to the paragraph
following the existing text describing -P, as the new -p option means it's no
longer true to say that only -P will cause the permissions to change.

Do we also need to clarify in the man page what happens if both -p and -P are
used at the same time?  In that case, -p is ignored and the permissions from
the directory specified with -P are used.

I'm wondering if that is even the desired behaviour, maybe -p should always
override even when -P is specified.  But if nobody has an opinion on this
I'm OK with the current proposal.

--- newfs.8.orig	Mon Apr  7 04:25:02 2025
+++ newfs.8	Sun Jul 20 08:37:23 2025
@@ -67,6 +67,7 @@
 .Op Fl m Ar free-space
 .Op Fl O Ar filesystem-format
 .Op Fl o Ar options
+.Op Fl p Ar mode
 .Op Fl P Ar file
 .Op Fl s Ar size
 .Ar special node
@@ -270,7 +271,8 @@
 are as described for
 .Nm ,
 except for the
-.Fl o
+.Fl o ,
+.Fl p
 and
 .Fl P
 options.
@@ -284,6 +286,17 @@
 See the
 .Xr mount 8
 man page for possible options and their meanings.
+.It Fl p Ar mode
+Set permissions on the mount point after the mfs filesystem has been mounted.
+The
+.Ar mode
+argument must be specified in octal notation.
+By default, mfs inherits the permissions of the mount point directory,
+which can create security issues if the underlying directory has
+world-writable permissions such as when mounting on
+.Pa /tmp .
+This option allows setting secure permissions directly without modifying
+the underlying filesystem.
 .It Fl P Ar file
 If
 .Ar file
@@ -295,9 +308,11 @@
 contents of the FFS file system contained on the device.
 .El
 .Pp
-If the
+If neither of the
+.Fl p Ar mode
+or
 .Fl P Ar file
-option is not used, the owner and mode of the created mfs file
+options is used, the owner and mode of the created mfs file
 system will be the same as the owner and mode of the mount point.
 .Sh ENVIRONMENT
 .Bl -tag -width COLUMNS