1 '\" te
2 .\" Copyright (c) 2008, Sun Microsystems, Inc. All Rights Reserved
3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
4 .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with
5 .\" the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
6 .TH LOFIADM 1M "Aug 31, 2009"
7 .SH NAME
8 lofiadm \- administer files available as block devices through lofi
9 .SH SYNOPSIS
10 .LP
11 .nf
12 \fB/usr/sbin/lofiadm\fR \fB-a\fR \fIfile\fR [\fIdevice\fR]
13 .fi
14
15 .LP
16 .nf
17 \fB/usr/sbin/lofiadm\fR \fB-c\fR \fIcrypto_algorithm\fR \fB-a\fR \fIfile\fR [\fIdevice\fR]
18 .fi
19
20 .LP
21 .nf
22 \fB/usr/sbin/lofiadm\fR \fB-c\fR \fIcrypto_algorithm\fR \fB-k\fR \fIraw_key_file\fR \fB-a\fR \fIfile\fR [\fIdevice\fR]
23 .fi
24
25 .LP
26 .nf
27 \fB/usr/sbin/lofiadm\fR \fB-c\fR \fIcrypto_algorithm\fR \fB-T\fR \fItoken_key\fR \fB-a\fR \fIfile\fR [\fIdevice\fR]
28 .fi
29
30 .LP
31 .nf
32 \fB/usr/sbin/lofiadm\fR \fB-c\fR \fIcrypto_algorithm\fR \fB-T\fR \fItoken_key\fR
33 \fB-k\fR \fIwrapped_key_file\fR \fB-a\fR \fIfile\fR [\fIdevice\fR]
34 .fi
35
36 .LP
37 .nf
38 \fB/usr/sbin/lofiadm\fR \fB-c\fR \fIcrypto_algorithm\fR \fB-e\fR \fB-a\fR \fIfile\fR [\fIdevice\fR]
39 .fi
40
41 .LP
42 .nf
43 \fB/usr/sbin/lofiadm\fR \fB-C\fR \fIalgorithm\fR [\fB-s\fR \fIsegment_size\fR] \fIfile\fR
44 .fi
45
46 .LP
47 .nf
48 \fB/usr/sbin/lofiadm\fR \fB-d\fR \fIfile\fR | \fIdevice\fR
49 .fi
50
51 .LP
52 .nf
53 \fB/usr/sbin/lofiadm\fR \fB-U\fR \fIfile\fR
54 .fi
55
56 .LP
57 .nf
58 \fB/usr/sbin/lofiadm\fR [ \fIfile\fR | \fIdevice\fR]
59 .fi
60
61 .SH DESCRIPTION
62 .sp
63 .LP
64 \fBlofiadm\fR administers \fBlofi\fR, the loopback file driver. \fBlofi\fR
65 allows a file to be associated with a block device. That file can then be
66 accessed through the block device. This is useful when the file contains an
67 image of some filesystem (such as a floppy or \fBCD-ROM\fR image), because the
68 block device can then be used with the normal system utilities for mounting,
69 checking or repairing filesystems. See \fBfsck\fR(1M) and \fBmount\fR(1M).
70 .sp
71 .LP
72 Use \fBlofiadm\fR to add a file as a loopback device, remove such an
73 association, or print information about the current associations.
74 .sp
75 .LP
76 Encryption and compression options are mutually exclusive on the command line.
77 Further, an encrypted file cannot be compressed later, nor can a compressed
78 file be encrypted later.
79 .sp
80 .LP
81 The \fBlofi\fR driver is not available and will not work inside a zone.
82 .SH OPTIONS
83 .sp
84 .LP
85 The following options are supported:
86 .sp
87 .ne 2
88 .na
89 \fB\fB-a\fR \fIfile\fR [\fIdevice\fR]\fR
90 .ad
91 .sp .6
92 .RS 4n
93 Add \fIfile\fR as a block device.
94 .sp
95 If \fIdevice\fR is not specified, an available device is picked.
96 .sp
97 If \fIdevice\fR is specified, \fBlofiadm\fR attempts to assign it to
98 \fIfile\fR. \fIdevice\fR must be available or \fBlofiadm\fR will fail. The
99 ability to specify a device is provided for use in scripts that wish to
100 reestablish a particular set of associations.
101 .RE
102
103 .sp
104 .ne 2
105 .na
106 \fB\fB-C\fR {\fIgzip\fR | \fIgzip-N\fR | \fIlzma\fR}\fR
107 .ad
108 .sp .6
109 .RS 4n
110 Compress the file with the specified compression algorithm.
111 .sp
112 The \fBgzip\fR compression algorithm uses the same compression as the
113 open-source \fBgzip\fR command. You can specify the \fBgzip\fR level by using
114 the value \fBgzip-\fR\fIN\fR where \fIN\fR is 6 (fast) or 9 (best compression
115 ratio). Currently, \fBgzip\fR, without a number, is equivalent to \fBgzip-6\fR
116 (which is also the default for the \fBgzip\fR command).
117 .sp
118 \fIlzma\fR stands for the LZMA (Lempel-Ziv-Markov) compression algorithm.
119 .sp
120 Note that you cannot write to a compressed file, nor can you mount a compressed
121 file read/write.
122 .RE
123
124 .sp
125 .ne 2
126 .na
127 \fB\fB-d\fR \fIfile\fR | \fIdevice\fR\fR
128 .ad
129 .sp .6
130 .RS 4n
131 Remove an association by \fIfile\fR or \fIdevice\fR name, if the associated
132 block device is not busy, and deallocates the block device.
133 .RE
134
135 .sp
136 .ne 2
137 .na
138 \fB\fB-s\fR \fIsegment_size\fR\fR
139 .ad
140 .sp .6
141 .RS 4n
142 The segment size to use to divide the file being compressed. \fIsegment_size\fR
143 can be an integer multiple of 512.
144 .RE
145
146 .sp
147 .ne 2
148 .na
149 \fB\fB-U\fR \fIfile\fR\fR
150 .ad
151 .sp .6
152 .RS 4n
153 Uncompress a compressed file.
154 .RE
155
156 .sp
157 .LP
158 The following options are used when the file is encrypted:
159 .sp
160 .ne 2
161 .na
162 \fB\fB-c\fR \fIcrypto_algorithm\fR\fR
163 .ad
164 .sp .6
165 .RS 4n
166 Select the encryption algorithm. The algorithm must be specified when
167 encryption is enabled because the algorithm is not stored in the disk image.
168 .sp
169 If none of \fB-e\fR, \fB-k\fR, or \fB-T\fR is specified, \fBlofiadm\fR prompts
170 for a passphrase, with a minimum length of eight characters, to be entered .
171 The passphrase is used to derive a symmetric encryption key using PKCS#5 PBKD2.
172 .RE
173
174 .sp
175 .ne 2
176 .na
177 \fB\fB-k\fR \fIraw_key_file\fR | \fIwrapped_key_file\fR\fR
178 .ad
179 .sp .6
180 .RS 4n
181 Path to raw or wrapped symmetric encryption key. If a PKCS#11 object is also
182 given with the \fB-T\fR option, then the key is wrapped by that object. If
183 \fB-T\fR is not specified, the key is used raw.
184 .RE
185
186 .sp
187 .ne 2
188 .na
189 \fB\fB-T\fR \fItoken_key\fR\fR
190 .ad
191 .sp .6
192 .RS 4n
193 The key in a PKCS#11 token to use for the encryption or for unwrapping the key
194 file.
195 .sp
196 If \fB-k\fR is also specified, \fB-T\fR identifies the unwrapping key, which
197 must be an RSA private key.
198 .RE
199
200 .sp
201 .ne 2
202 .na
203 \fB\fB-e\fR\fR
204 .ad
205 .sp .6
206 .RS 4n
207 Generate an ephemeral symmetric encryption key.
208 .RE
209
210 .SH OPERANDS
211 .sp
212 .LP
213 The following operands are supported:
214 .sp
215 .ne 2
216 .na
217 \fB\fIcrypto_algorithm\fR\fR
218 .ad
219 .sp .6
220 .RS 4n
221 One of: \fBaes-128-cbc\fR, \fBaes-192-cbc\fR, \fBaes-256-cbc\fR,
222 \fBdes3-cbc\fR, \fBblowfish-cbc\fR.
223 .RE
224
225 .sp
226 .ne 2
227 .na
228 \fB\fIdevice\fR\fR
229 .ad
230 .sp .6
231 .RS 4n
232 Display the file name associated with the block device \fIdevice\fR.
233 .sp
234 Without arguments, print a list of the current associations. Filenames must be
235 valid absolute pathnames.
236 .sp
237 When a file is added, it is opened for reading or writing by root. Any
238 restrictions apply (such as restricted root access over \fBNFS\fR). The file is
239 held open until the association is removed. It is not actually accessed until
240 the block device is used, so it will never be written to if the block device is
241 only opened read-only.
242 .RE
243
244 .sp
245 .ne 2
246 .na
247 \fB\fIfile\fR\fR
248 .ad
249 .sp .6
250 .RS 4n
251 Display the block device associated with \fIfile\fR.
252 .RE
253
254 .sp
255 .ne 2
256 .na
257 \fB\fIraw_key_file\fR\fR
258 .ad
259 .sp .6
260 .RS 4n
261 Path to a file of the appropriate length, in bits, to use as a raw symmetric
262 encryption key.
263 .RE
264
265 .sp
266 .ne 2
267 .na
268 \fB\fItoken_key\fR\fR
269 .ad
270 .sp .6
271 .RS 4n
272 PKCS#11 token object in the format:
273 .sp
274 .in +2
275 .nf
276 \fItoken_name\fR:\fImanufacturer_id\fR:\fIserial_number\fR:\fIkey_label\fR
277 .fi
278 .in -2
279 .sp
280
281 All but the key label are optional and can be empty. For example, to specify a
282 token object with only its key label \fBMylofiKey\fR, use:
283 .sp
284 .in +2
285 .nf
286 -T :::MylofiKey
287 .fi
288 .in -2
289 .sp
290
291 .RE
292
293 .sp
294 .ne 2
295 .na
296 \fB\fIwrapped_key_file\fR\fR
297 .ad
298 .sp .6
299 .RS 4n
300 Path to file containing a symmetric encryption key wrapped by the RSA private
301 key specified by \fB-T\fR.
302 .RE
303
304 .SH EXAMPLES
305 .LP
306 \fBExample 1 \fRMounting an Existing CD-ROM Image
307 .sp
308 .LP
309 You should ensure that Solaris understands the image before creating the
310 \fBCD\fR. \fBlofi\fR allows you to mount the image and see if it works.
311
312 .sp
313 .LP
314 This example mounts an existing \fBCD-ROM\fR image (\fBsparc.iso\fR), of the
315 \fBRed Hat 6.0 CD\fR which was downloaded from the Internet. It was created
316 with the \fBmkisofs\fR utility from the Internet.
317
318 .sp
319 .LP
320 Use \fBlofiadm\fR to attach a block device to it:
321
322 .sp
323 .in +2
324 .nf
325 # \fBlofiadm -a /home/mike_s/RH6.0/sparc.iso\fR
326 /dev/lofi/1
327 .fi
328 .in -2
329 .sp
330
331 .sp
332 .LP
333 \fBlofiadm\fR picks the device and prints the device name to the standard
334 output. You can run \fBlofiadm\fR again by issuing the following command:
335
336 .sp
337 .in +2
338 .nf
339 # \fBlofiadm\fR
340 Block Device File Options
341 /dev/lofi/1 /home/mike_s/RH6.0/sparc.iso -
342 .fi
343 .in -2
344 .sp
345
346 .sp
347 .LP
348 Or, you can give it one name and ask for the other, by issuing the following
349 command:
350
351 .sp
352 .in +2
353 .nf
354 # \fBlofiadm /dev/lofi/1\fR
355 /home/mike_s/RH6.0/sparc.iso
356 .fi
357 .in -2
358 .sp
359
360 .sp
361 .LP
362 Use the \fBmount\fR command to mount the image:
363
364 .sp
365 .in +2
366 .nf
367 # \fBmount -F hsfs -o ro /dev/lofi/1 /mnt\fR
368 .fi
369 .in -2
370 .sp
371
372 .sp
373 .LP
374 Check to ensure that Solaris understands the image:
375
376 .sp
377 .in +2
378 .nf
379 # \fBdf -k /mnt\fR
380 Filesystem kbytes used avail capacity Mounted on
381 /dev/lofi/1 512418 512418 0 100% /mnt
382 # \fBls /mnt\fR
383 \&./ RedHat/ doc/ ls-lR rr_moved/
384 \&../ TRANS.TBL dosutils/ ls-lR.gz sbin@
385 \&.buildlog bin@ etc@ misc/ tmp/
386 COPYING boot/ images/ mnt/ usr@
387 README boot.cat* kernels/ modules/
388 RPM-PGP-KEY dev@ lib@ proc/
389 .fi
390 .in -2
391 .sp
392
393 .sp
394 .LP
395 Solaris can mount the CD-ROM image, and understand the filenames. The image was
396 created properly, and you can now create the \fBCD-ROM\fR with confidence.
397
398 .sp
399 .LP
400 As a final step, unmount and detach the images:
401
402 .sp
403 .in +2
404 .nf
405 # \fBumount /mnt\fR
406 # \fBlofiadm -d /dev/lofi/1\fR
407 # \fBlofiadm\fR
408 Block Device File Options
409 .fi
410 .in -2
411 .sp
412
413 .LP
414 \fBExample 2 \fRMounting a Floppy Image
415 .sp
416 .LP
417 This is similar to the first example.
418
419 .sp
420 .LP
421 Using \fBlofi\fR to help you mount files that contain floppy images is helpful
422 if a floppy disk contains a file that you need, but the machine which you are
423 on does not have a floppy drive. It is also helpful if you do not want to take
424 the time to use the \fBdd\fR command to copy the image to a floppy.
425
426 .sp
427 .LP
428 This is an example of getting to \fBMDB\fR floppy for Solaris on an x86
429 platform:
430
431 .sp
432 .in +2
433 .nf
434 # \fBlofiadm -a /export/s28/MDB_s28x_wos/latest/boot.3\fR
435 /dev/lofi/1
436 # \fBmount -F pcfs /dev/lofi/1 /mnt\fR
437 # \fBls /mnt\fR
438 \&./ COMMENT.BAT* RC.D/ SOLARIS.MAP*
439 \&../ IDENT* REPLACE.BAT* X/
440 APPEND.BAT* MAKEDIR.BAT* SOLARIS/
441 # \fBumount /mnt\fR
442 # \fBlofiadm -d /export/s28/MDB_s28x_wos/latest/boot.3\fR
443 .fi
444 .in -2
445 .sp
446
447 .LP
448 \fBExample 3 \fRMaking a \fBUFS\fR Filesystem on a File
449 .sp
450 .LP
451 Making a \fBUFS\fR filesystem on a file can be useful, particularly if a test
452 suite requires a scratch filesystem. It can be painful (or annoying) to have to
453 repartition a disk just for the test suite, but you do not have to. You can
454 \fBnewfs\fR a file with \fBlofi\fR
455
456 .sp
457 .LP
458 Create the file:
459
460 .sp
461 .in +2
462 .nf
463 # \fBmkfile 35m /export/home/test\fR
464 .fi
465 .in -2
466 .sp
467
468 .sp
469 .LP
470 Attach it to a block device. You also get the character device that \fBnewfs\fR
471 requires, so \fBnewfs\fR that:
472
473 .sp
474 .in +2
475 .nf
476 # \fBlofiadm -a /export/home/test\fR
477 /dev/lofi/1
478 # \fBnewfs /dev/rlofi/1\fR
479 newfs: construct a new file system /dev/rlofi/1: (y/n)? \fBy\fR
480 /dev/rlofi/1: 71638 sectors in 119 cylinders of 1 tracks, 602 sectors
481 35.0MB in 8 cyl groups (16 c/g, 4.70MB/g, 2240 i/g)
482 super-block backups (for fsck -F ufs -o b=#) at:
483 32, 9664, 19296, 28928, 38560, 48192, 57824, 67456,
484 .fi
485 .in -2
486 .sp
487
488 .sp
489 .LP
490 Note that \fBufs\fR might not be able to use the entire file. Mount and use the
491 filesystem:
492
493 .sp
494 .in +2
495 .nf
496 # \fBmount /dev/lofi/1 /mnt\fR
497 # \fBdf -k /mnt\fR
498 Filesystem kbytes used avail capacity Mounted on
499 /dev/lofi/1 33455 9 30101 1% /mnt
500 # \fBls /mnt\fR
501 \&./ ../ lost+found/
502 # \fBumount /mnt\fR
503 # \fBlofiadm -d /dev/lofi/1\fR
504 .fi
505 .in -2
506 .sp
507
508 .LP
509 \fBExample 4 \fRCreating a PC (FAT) File System on a Unix File
510 .sp
511 .LP
512 The following series of commands creates a \fBFAT\fR file system on a Unix
513 file. The file is associated with a block device created by \fBlofiadm\fR.
514
515 .sp
516 .in +2
517 .nf
518 # \fBmkfile 10M /export/test/testfs\fR
519 # \fBlofiadm -a /export/test testfs\fR
520 /dev/lofi/1
521 \fBNote use of\fR rlofi\fB, not\fR lofi\fB, in following command.\fR
522 # \fBmkfs -F pcfs -o nofdisk,size=20480 /dev/rlofi/1\fR
523 \fBConstruct a new FAT file system on /dev/rlofi/1: (y/n)?\fR y
524 # \fBmount -F pcfs /dev/lofi/1 /mnt\fR
525 # \fBcd /mnt\fR
526 # \fBdf -k .\fR
527 Filesystem kbytes used avail capacity Mounted on
528 /dev/lofi/1 10142 0 10142 0% /mnt
529 .fi
530 .in -2
531 .sp
532
533 .LP
534 \fBExample 5 \fRCompressing an Existing CD-ROM Image
535 .sp
536 .LP
537 The following example illustrates compressing an existing CD-ROM image
538 (\fBsolaris.iso\fR), verifying that the image is compressed, and then
539 uncompressing it.
540
541 .sp
542 .in +2
543 .nf
544 # \fBlofiadm -C gzip /export/home/solaris.iso\fR
545 .fi
546 .in -2
547 .sp
548
549 .sp
550 .LP
551 Use \fBlofiadm\fR to attach a block device to it:
552
553 .sp
554 .in +2
555 .nf
556 # \fBlofiadm -a /export/home/solaris.iso\fR
557 /dev/lofi/1
558 .fi
559 .in -2
560 .sp
561
562 .sp
563 .LP
564 Check if the mapped image is compressed:
565
566 .sp
567 .in +2
568 .nf
569 # \fBlofiadm\fR
570 Block Device File Options
571 /dev/lofi/1 /export/home/solaris.iso Compressed(gzip)
572 /dev/lofi/2 /export/home/regular.iso -
573 .fi
574 .in -2
575 .sp
576
577 .sp
578 .LP
579 Unmap the compressed image and uncompress it:
580
581 .sp
582 .in +2
583 .nf
584 # \fBlofiadm -d /dev/lofi/1\fR
585 # \fBlofiadm -U /export/home/solaris.iso\fR
586 .fi
587 .in -2
588 .sp
589
590 .LP
591 \fBExample 6 \fRCreating an Encrypted UFS File System on a File
592 .sp
593 .LP
594 This example is similar to the example of making a UFS filesystem on a file,
595 above.
596
597 .sp
598 .LP
599 Create the file:
600
601 .sp
602 .in +2
603 .nf
604 # \fBmkfile 35m /export/home/test\fR
605 .fi
606 .in -2
607 .sp
608
609 .sp
610 .LP
611 Attach the file to a block device and specify that the file image is encrypted.
612 As a result of this command, you obtain the character device, which is
613 subsequently used by \fBnewfs\fR:
614
615 .sp
616 .in +2
617 .nf
618 # \fBlofiadm -c aes-256-cbc -a /export/home/secrets\fR
619 Enter passphrase: \fBMy-M0th3r;l0v3s_m3+4lw4ys!\fR (\fBnot echoed\fR)
620 Re-enter passphrase: \fBMy-M0th3r;l0v3s_m3+4lw4ys!\fR (\fBnot echoed\fR)
621 /dev/lofi/1
622
623 # \fBnewfs /dev/rlofi/1\fR
624 newfs: construct a new file system /dev/rlofi/1: (y/n)? \fBy\fR
625 /dev/rlofi/1: 71638 sectors in 119 cylinders of 1 tracks, 602 sectors
626 35.0MB in 8 cyl groups (16 c/g, 4.70MB/g, 2240 i/g)
627 super-block backups (for fsck -F ufs -o b=#) at:
628 32, 9664, 19296, 28928, 38560, 48192, 57824, 67456,
629 .fi
630 .in -2
631 .sp
632
633 .sp
634 .LP
635 The mapped file system shows that encryption is enabled:
636
637 .sp
638 .in +2
639 .nf
640 # \fBlofiadm\fR
641 Block Device File Options
642 /dev/lofi/1 /export/home/secrets Encrypted
643 .fi
644 .in -2
645 .sp
646
647 .sp
648 .LP
649 Mount and use the filesystem:
650
651 .sp
652 .in +2
653 .nf
654 # \fBmount /dev/lofi/1 /mnt\fR
655 # \fBcp moms_secret_*_recipe /mnt\fR
656 # \fBls /mnt\fR
657 \&./ moms_secret_cookie_recipe moms_secret_soup_recipe
658 \&../ moms_secret_fudge_recipe moms_secret_stuffing_recipe
659 lost+found/ moms_secret_meatloaf_recipe moms_secret_waffle_recipe
660 # \fBumount /mnt\fR
661 # \fBlofiadm -d /dev/lofi/1\fR
662 .fi
663 .in -2
664 .sp
665
666 .sp
667 .LP
668 Subsequent attempts to map the filesystem with the wrong key or the wrong
669 encryption algorithm will fail:
670
671 .sp
672 .in +2
673 .nf
674 # \fBlofiadm -c blowfish-cbc -a /export/home/secrets\fR
675 Enter passphrase: \fBmommy\fR (\fInot echoed\fR)
676 Re-enter passphrase: \fBmommy\fR (\fInot echoed\fR)
677 lofiadm: could not map file /root/lofi: Invalid argument
678 # \fBlofiadm\fR
679 Block Device File Options
680 #
681 .fi
682 .in -2
683 .sp
684
685 .sp
686 .LP
687 Attempts to map the filesystem without encryption will succeed, however
688 attempts to mount and use the filesystem will fail:
689
690 .sp
691 .in +2
692 .nf
693 # \fBlofiadm -a /export/home/secrets\fR
694 /dev/lofi/1
695 # \fBlofiadm\fR
696 Block Device File Options
697 /dev/lofi/1 /export/home/secrets -
698 # \fBmount /dev/lofi/1 /mnt\fR
699 mount: /dev/lofi/1 is not this fstype
700 #
701 .fi
702 .in -2
703 .sp
704
705 .SH ENVIRONMENT VARIABLES
706 .sp
707 .LP
708 See \fBenviron\fR(5) for descriptions of the following environment variables
709 that affect the execution of \fBlofiadm\fR: \fBLC_CTYPE\fR, \fBLC_MESSAGES\fR
710 and \fBNLSPATH\fR.
711 .SH EXIT STATUS
712 .sp
713 .LP
714 The following exit values are returned:
715 .sp
716 .ne 2
717 .na
718 \fB\fB0\fR\fR
719 .ad
720 .sp .6
721 .RS 4n
722 Successful completion.
723 .RE
724
725 .sp
726 .ne 2
727 .na
728 \fB\fB>0\fR\fR
729 .ad
730 .sp .6
731 .RS 4n
732 An error occurred.
733 .RE
734
735 .SH SEE ALSO
736 .sp
737 .LP
738 \fBfsck\fR(1M), \fBmount\fR(1M), \fBmount_ufs\fR(1M), \fBnewfs\fR(1M),
739 \fBattributes\fR(5), \fBlofi\fR(7D), \fBlofs\fR(7FS)
740 .SH NOTES
741 .sp
742 .LP
743 Just as you would not directly access a disk device that has mounted file
744 systems, you should not access a file associated with a block device except
745 through the \fBlofi\fR file driver. It might also be appropriate to ensure that
746 the file has appropriate permissions to prevent such access.
747 .sp
748 .LP
749 The abilities of \fBlofiadm\fR, and who can use them, are controlled by the
750 permissions of \fB/dev/lofictl\fR. Read-access allows query operations, such as
751 listing all the associations. Write-access is required to do any state-changing
752 operations, like adding an association. As shipped, \fB/dev/lofictl\fR is owned
753 by \fBroot\fR, in group \fBsys\fR, and mode \fB0644\fR, so all users can do
754 query operations but only root can change anything. The administrator can give
755 users write-access, allowing them to add or delete associations, but that is
756 very likely a security hole and should probably only be given to a trusted
757 group.
758 .sp
759 .LP
760 When mounting a filesystem image, take care to use appropriate mount options.
761 In particular, the \fBnosuid\fR mount option might be appropriate for \fBUFS\fR
762 images whose origin is unknown. Also, some options might not be useful or
763 appropriate, like \fBlogging\fR or \fBforcedirectio\fR for \fBUFS\fR. For
764 compatibility purposes, a raw device is also exported along with the block
765 device. For example, \fBnewfs\fR(1M) requires one.
766 .sp
767 .LP
768 The output of \fBlofiadm\fR (without arguments) might change in future
769 releases.