1 '\" te
2 .\" Copyright (c) 2008, Sun Microsystems, Inc. All Rights Reserved
3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
4 .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with
5 .\" the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
6 .TH LOFIADM 1M "Aug 28, 2013"
7 .SH NAME
8 lofiadm \- administer files available as block devices through lofi
9 .SH SYNOPSIS
10 .LP
11 .nf
12 \fBlofiadm\fR [\fB-r\fR] \fB-a\fR \fIfile\fR [\fIdevice\fR]
13 .fi
14
15 .LP
16 .nf
17 \fBlofiadm\fR [\fB-r\fR] \fB-c\fR \fIcrypto_algorithm\fR \fB-a\fR \fIfile\fR [\fIdevice\fR]
18 .fi
19
20 .LP
21 .nf
22 \fBlofiadm\fR [\fB-r\fR] \fB-c\fR \fIcrypto_algorithm\fR \fB-k\fR \fIraw_key_file\fR \fB-a\fR \fIfile\fR [\fIdevice\fR]
23 .fi
24
25 .LP
26 .nf
27 \fBlofiadm\fR [\fB-r\fR] \fB-c\fR \fIcrypto_algorithm\fR \fB-T\fR \fItoken_key\fR \fB-a\fR \fIfile\fR [\fIdevice\fR]
28 .fi
29
30 .LP
31 .nf
32 \fBlofiadm\fR [\fB-r\fR] \fB-c\fR \fIcrypto_algorithm\fR \fB-T\fR \fItoken_key\fR
33 \fB-k\fR \fIwrapped_key_file\fR \fB-a\fR \fIfile\fR [\fIdevice\fR]
34 .fi
35
36 .LP
37 .nf
38 \fBlofiadm\fR [\fB-r\fR] \fB-c\fR \fIcrypto_algorithm\fR \fB-e\fR \fB-a\fR \fIfile\fR [\fIdevice\fR]
39 .fi
40
41 .LP
42 .nf
43 \fBlofiadm\fR \fB-C\fR \fIalgorithm\fR [\fB-s\fR \fIsegment_size\fR] \fIfile\fR
44 .fi
45
46 .LP
47 .nf
48 \fBlofiadm\fR \fB-d\fR \fIfile\fR | \fIdevice\fR
49 .fi
50
51 .LP
52 .nf
53 \fBlofiadm\fR \fB-U\fR \fIfile\fR
54 .fi
55
56 .LP
57 .nf
58 \fBlofiadm\fR [ \fIfile\fR | \fIdevice\fR]
59 .fi
60
61 .SH DESCRIPTION
62 .sp
63 .LP
64 \fBlofiadm\fR administers \fBlofi\fR, the loopback file driver. \fBlofi\fR
65 allows a file to be associated with a block device. That file can then be
66 accessed through the block device. This is useful when the file contains an
67 image of some filesystem (such as a floppy or \fBCD-ROM\fR image), because the
68 block device can then be used with the normal system utilities for mounting,
69 checking or repairing filesystems. See \fBfsck\fR(1M) and \fBmount\fR(1M).
70 .sp
71 .LP
72 Use \fBlofiadm\fR to add a file as a loopback device, remove such an
73 association, or print information about the current associations.
74 .sp
75 .LP
76 Encryption and compression options are mutually exclusive on the command line.
77 Further, an encrypted file cannot be compressed later, nor can a compressed
78 file be encrypted later.
79 .sp
80 .LP
81 The \fBlofi\fR driver is not available and will not work inside a zone.
82 .SH OPTIONS
83 .sp
84 .LP
85 The following options are supported:
86 .sp
87 .ne 2
88 .na
89 \fB\fB-a\fR \fIfile\fR [\fIdevice\fR]\fR
90 .ad
91 .sp .6
92 .RS 4n
93 Add \fIfile\fR as a block device.
94 .sp
95 If \fIdevice\fR is not specified, an available device is picked.
96 .sp
97 If \fIdevice\fR is specified, \fBlofiadm\fR attempts to assign it to
98 \fIfile\fR. \fIdevice\fR must be available or \fBlofiadm\fR will fail. The
99 ability to specify a device is provided for use in scripts that wish to
100 reestablish a particular set of associations.
101 .RE
102
103 .sp
104 .ne 2
105 .na
106 \fB\fB-C\fR {\fIgzip\fR | \fIgzip-N\fR | \fIlzma\fR}\fR
107 .ad
108 .sp .6
109 .RS 4n
110 Compress the file with the specified compression algorithm.
111 .sp
112 The \fBgzip\fR compression algorithm uses the same compression as the
113 open-source \fBgzip\fR command. You can specify the \fBgzip\fR level by using
114 the value \fBgzip-\fR\fIN\fR where \fIN\fR is 6 (fast) or 9 (best compression
115 ratio). Currently, \fBgzip\fR, without a number, is equivalent to \fBgzip-6\fR
116 (which is also the default for the \fBgzip\fR command).
117 .sp
118 \fIlzma\fR stands for the LZMA (Lempel-Ziv-Markov) compression algorithm.
119 .sp
120 Note that you cannot write to a compressed file, nor can you mount a compressed
121 file read/write.
122 .RE
123
124 .sp
125 .ne 2
126 .na
127 \fB\fB-d\fR \fIfile\fR | \fIdevice\fR\fR
128 .ad
129 .sp .6
130 .RS 4n
131 Remove an association by \fIfile\fR or \fIdevice\fR name, if the associated
132 block device is not busy, and deallocates the block device.
133 .RE
134
135 .sp
136 .ne 2
137 .na
138 \fB\fB-r\fR
139 .ad
140 .sp .6
141 .RS 4n
142 If the \fB-r\fR option is specified before the \fB-a\fR option, the
143 \fIdevice\fR will be opened read-only.
144 .RE
145
146 .sp
147 .ne 2
148 .na
149 \fB\fB-s\fR \fIsegment_size\fR\fR
150 .ad
151 .sp .6
152 .RS 4n
153 The segment size to use to divide the file being compressed. \fIsegment_size\fR
154 can be an integer multiple of 512.
155 .RE
156
157 .sp
158 .ne 2
159 .na
160 \fB\fB-U\fR \fIfile\fR\fR
161 .ad
162 .sp .6
163 .RS 4n
164 Uncompress a compressed file.
165 .RE
166
167 .sp
168 .LP
169 The following options are used when the file is encrypted:
170 .sp
171 .ne 2
172 .na
173 \fB\fB-c\fR \fIcrypto_algorithm\fR\fR
174 .ad
175 .sp .6
176 .RS 4n
177 Select the encryption algorithm. The algorithm must be specified when
178 encryption is enabled because the algorithm is not stored in the disk image.
179 .sp
180 If none of \fB-e\fR, \fB-k\fR, or \fB-T\fR is specified, \fBlofiadm\fR prompts
181 for a passphrase, with a minimum length of eight characters, to be entered .
182 The passphrase is used to derive a symmetric encryption key using PKCS#5 PBKD2.
183 .RE
184
185 .sp
186 .ne 2
187 .na
188 \fB\fB-k\fR \fIraw_key_file\fR | \fIwrapped_key_file\fR\fR
189 .ad
190 .sp .6
191 .RS 4n
192 Path to raw or wrapped symmetric encryption key. If a PKCS#11 object is also
193 given with the \fB-T\fR option, then the key is wrapped by that object. If
194 \fB-T\fR is not specified, the key is used raw.
195 .RE
196
197 .sp
198 .ne 2
199 .na
200 \fB\fB-T\fR \fItoken_key\fR\fR
201 .ad
202 .sp .6
203 .RS 4n
204 The key in a PKCS#11 token to use for the encryption or for unwrapping the key
205 file.
206 .sp
207 If \fB-k\fR is also specified, \fB-T\fR identifies the unwrapping key, which
208 must be an RSA private key.
209 .RE
210
211 .sp
212 .ne 2
213 .na
214 \fB\fB-e\fR\fR
215 .ad
216 .sp .6
217 .RS 4n
218 Generate an ephemeral symmetric encryption key.
219 .RE
220
221 .SH OPERANDS
222 .sp
223 .LP
224 The following operands are supported:
225 .sp
226 .ne 2
227 .na
228 \fB\fIcrypto_algorithm\fR\fR
229 .ad
230 .sp .6
231 .RS 4n
232 One of: \fBaes-128-cbc\fR, \fBaes-192-cbc\fR, \fBaes-256-cbc\fR,
233 \fBdes3-cbc\fR, \fBblowfish-cbc\fR.
234 .RE
235
236 .sp
237 .ne 2
238 .na
239 \fB\fIdevice\fR\fR
240 .ad
241 .sp .6
242 .RS 4n
243 Display the file name associated with the block device \fIdevice\fR.
244 .sp
245 Without arguments, print a list of the current associations. Filenames must be
246 valid absolute pathnames.
247 .sp
248 When a file is added, it is opened for reading or writing by root. Any
249 restrictions apply (such as restricted root access over \fBNFS\fR). The file is
250 held open until the association is removed. It is not actually accessed until
251 the block device is used, so it will never be written to if the block device is
252 only opened read-only.
253 .RE
254
255 .sp
256 .ne 2
257 .na
258 \fB\fIfile\fR\fR
259 .ad
260 .sp .6
261 .RS 4n
262 Display the block device associated with \fIfile\fR.
263 .RE
264
265 .sp
266 .ne 2
267 .na
268 \fB\fIraw_key_file\fR\fR
269 .ad
270 .sp .6
271 .RS 4n
272 Path to a file of the appropriate length, in bits, to use as a raw symmetric
273 encryption key.
274 .RE
275
276 .sp
277 .ne 2
278 .na
279 \fB\fItoken_key\fR\fR
280 .ad
281 .sp .6
282 .RS 4n
283 PKCS#11 token object in the format:
284 .sp
285 .in +2
286 .nf
287 \fItoken_name\fR:\fImanufacturer_id\fR:\fIserial_number\fR:\fIkey_label\fR
288 .fi
289 .in -2
290 .sp
291
292 All but the key label are optional and can be empty. For example, to specify a
293 token object with only its key label \fBMylofiKey\fR, use:
294 .sp
295 .in +2
296 .nf
297 -T :::MylofiKey
298 .fi
299 .in -2
300 .sp
301
302 .RE
303
304 .sp
305 .ne 2
306 .na
307 \fB\fIwrapped_key_file\fR\fR
308 .ad
309 .sp .6
310 .RS 4n
311 Path to file containing a symmetric encryption key wrapped by the RSA private
312 key specified by \fB-T\fR.
313 .RE
314
315 .SH EXAMPLES
316 .LP
317 \fBExample 1 \fRMounting an Existing CD-ROM Image
318 .sp
319 .LP
320 You should ensure that Solaris understands the image before creating the
321 \fBCD\fR. \fBlofi\fR allows you to mount the image and see if it works.
322
323 .sp
324 .LP
325 This example mounts an existing \fBCD-ROM\fR image (\fBsparc.iso\fR), of the
326 \fBRed Hat 6.0 CD\fR which was downloaded from the Internet. It was created
327 with the \fBmkisofs\fR utility from the Internet.
328
329 .sp
330 .LP
331 Use \fBlofiadm\fR to attach a block device to it:
332
333 .sp
334 .in +2
335 .nf
336 # \fBlofiadm -a /home/mike_s/RH6.0/sparc.iso\fR
337 /dev/lofi/1
338 .fi
339 .in -2
340 .sp
341
342 .sp
343 .LP
344 \fBlofiadm\fR picks the device and prints the device name to the standard
345 output. You can run \fBlofiadm\fR again by issuing the following command:
346
347 .sp
348 .in +2
349 .nf
350 # \fBlofiadm\fR
351 Block Device File Options
352 /dev/lofi/1 /home/mike_s/RH6.0/sparc.iso -
353 .fi
354 .in -2
355 .sp
356
357 .sp
358 .LP
359 Or, you can give it one name and ask for the other, by issuing the following
360 command:
361
362 .sp
363 .in +2
364 .nf
365 # \fBlofiadm /dev/lofi/1\fR
366 /home/mike_s/RH6.0/sparc.iso
367 .fi
368 .in -2
369 .sp
370
371 .sp
372 .LP
373 Use the \fBmount\fR command to mount the image:
374
375 .sp
376 .in +2
377 .nf
378 # \fBmount -F hsfs -o ro /dev/lofi/1 /mnt\fR
379 .fi
380 .in -2
381 .sp
382
383 .sp
384 .LP
385 Check to ensure that Solaris understands the image:
386
387 .sp
388 .in +2
389 .nf
390 # \fBdf -k /mnt\fR
391 Filesystem kbytes used avail capacity Mounted on
392 /dev/lofi/1 512418 512418 0 100% /mnt
393 # \fBls /mnt\fR
394 \&./ RedHat/ doc/ ls-lR rr_moved/
395 \&../ TRANS.TBL dosutils/ ls-lR.gz sbin@
396 \&.buildlog bin@ etc@ misc/ tmp/
397 COPYING boot/ images/ mnt/ usr@
398 README boot.cat* kernels/ modules/
399 RPM-PGP-KEY dev@ lib@ proc/
400 .fi
401 .in -2
402 .sp
403
404 .sp
405 .LP
406 Solaris can mount the CD-ROM image, and understand the filenames. The image was
407 created properly, and you can now create the \fBCD-ROM\fR with confidence.
408
409 .sp
410 .LP
411 As a final step, unmount and detach the images:
412
413 .sp
414 .in +2
415 .nf
416 # \fBumount /mnt\fR
417 # \fBlofiadm -d /dev/lofi/1\fR
418 # \fBlofiadm\fR
419 Block Device File Options
420 .fi
421 .in -2
422 .sp
423
424 .LP
425 \fBExample 2 \fRMounting a Floppy Image
426 .sp
427 .LP
428 This is similar to the first example.
429
430 .sp
431 .LP
432 Using \fBlofi\fR to help you mount files that contain floppy images is helpful
433 if a floppy disk contains a file that you need, but the machine which you are
434 on does not have a floppy drive. It is also helpful if you do not want to take
435 the time to use the \fBdd\fR command to copy the image to a floppy.
436
437 .sp
438 .LP
439 This is an example of getting to \fBMDB\fR floppy for Solaris on an x86
440 platform:
441
442 .sp
443 .in +2
444 .nf
445 # \fBlofiadm -a /export/s28/MDB_s28x_wos/latest/boot.3\fR
446 /dev/lofi/1
447 # \fBmount -F pcfs /dev/lofi/1 /mnt\fR
448 # \fBls /mnt\fR
449 \&./ COMMENT.BAT* RC.D/ SOLARIS.MAP*
450 \&../ IDENT* REPLACE.BAT* X/
451 APPEND.BAT* MAKEDIR.BAT* SOLARIS/
452 # \fBumount /mnt\fR
453 # \fBlofiadm -d /export/s28/MDB_s28x_wos/latest/boot.3\fR
454 .fi
455 .in -2
456 .sp
457
458 .LP
459 \fBExample 3 \fRMaking a \fBUFS\fR Filesystem on a File
460 .sp
461 .LP
462 Making a \fBUFS\fR filesystem on a file can be useful, particularly if a test
463 suite requires a scratch filesystem. It can be painful (or annoying) to have to
464 repartition a disk just for the test suite, but you do not have to. You can
465 \fBnewfs\fR a file with \fBlofi\fR
466
467 .sp
468 .LP
469 Create the file:
470
471 .sp
472 .in +2
473 .nf
474 # \fBmkfile 35m /export/home/test\fR
475 .fi
476 .in -2
477 .sp
478
479 .sp
480 .LP
481 Attach it to a block device. You also get the character device that \fBnewfs\fR
482 requires, so \fBnewfs\fR that:
483
484 .sp
485 .in +2
486 .nf
487 # \fBlofiadm -a /export/home/test\fR
488 /dev/lofi/1
489 # \fBnewfs /dev/rlofi/1\fR
490 newfs: construct a new file system /dev/rlofi/1: (y/n)? \fBy\fR
491 /dev/rlofi/1: 71638 sectors in 119 cylinders of 1 tracks, 602 sectors
492 35.0MB in 8 cyl groups (16 c/g, 4.70MB/g, 2240 i/g)
493 super-block backups (for fsck -F ufs -o b=#) at:
494 32, 9664, 19296, 28928, 38560, 48192, 57824, 67456,
495 .fi
496 .in -2
497 .sp
498
499 .sp
500 .LP
501 Note that \fBufs\fR might not be able to use the entire file. Mount and use the
502 filesystem:
503
504 .sp
505 .in +2
506 .nf
507 # \fBmount /dev/lofi/1 /mnt\fR
508 # \fBdf -k /mnt\fR
509 Filesystem kbytes used avail capacity Mounted on
510 /dev/lofi/1 33455 9 30101 1% /mnt
511 # \fBls /mnt\fR
512 \&./ ../ lost+found/
513 # \fBumount /mnt\fR
514 # \fBlofiadm -d /dev/lofi/1\fR
515 .fi
516 .in -2
517 .sp
518
519 .LP
520 \fBExample 4 \fRCreating a PC (FAT) File System on a Unix File
521 .sp
522 .LP
523 The following series of commands creates a \fBFAT\fR file system on a Unix
524 file. The file is associated with a block device created by \fBlofiadm\fR.
525
526 .sp
527 .in +2
528 .nf
529 # \fBmkfile 10M /export/test/testfs\fR
530 # \fBlofiadm -a /export/test testfs\fR
531 /dev/lofi/1
532 \fBNote use of\fR rlofi\fB, not\fR lofi\fB, in following command.\fR
533 # \fBmkfs -F pcfs -o nofdisk,size=20480 /dev/rlofi/1\fR
534 \fBConstruct a new FAT file system on /dev/rlofi/1: (y/n)?\fR y
535 # \fBmount -F pcfs /dev/lofi/1 /mnt\fR
536 # \fBcd /mnt\fR
537 # \fBdf -k .\fR
538 Filesystem kbytes used avail capacity Mounted on
539 /dev/lofi/1 10142 0 10142 0% /mnt
540 .fi
541 .in -2
542 .sp
543
544 .LP
545 \fBExample 5 \fRCompressing an Existing CD-ROM Image
546 .sp
547 .LP
548 The following example illustrates compressing an existing CD-ROM image
549 (\fBsolaris.iso\fR), verifying that the image is compressed, and then
550 uncompressing it.
551
552 .sp
553 .in +2
554 .nf
555 # \fBlofiadm -C gzip /export/home/solaris.iso\fR
556 .fi
557 .in -2
558 .sp
559
560 .sp
561 .LP
562 Use \fBlofiadm\fR to attach a block device to it:
563
564 .sp
565 .in +2
566 .nf
567 # \fBlofiadm -a /export/home/solaris.iso\fR
568 /dev/lofi/1
569 .fi
570 .in -2
571 .sp
572
573 .sp
574 .LP
575 Check if the mapped image is compressed:
576
577 .sp
578 .in +2
579 .nf
580 # \fBlofiadm\fR
581 Block Device File Options
582 /dev/lofi/1 /export/home/solaris.iso Compressed(gzip)
583 /dev/lofi/2 /export/home/regular.iso -
584 .fi
585 .in -2
586 .sp
587
588 .sp
589 .LP
590 Unmap the compressed image and uncompress it:
591
592 .sp
593 .in +2
594 .nf
595 # \fBlofiadm -d /dev/lofi/1\fR
596 # \fBlofiadm -U /export/home/solaris.iso\fR
597 .fi
598 .in -2
599 .sp
600
601 .LP
602 \fBExample 6 \fRCreating an Encrypted UFS File System on a File
603 .sp
604 .LP
605 This example is similar to the example of making a UFS filesystem on a file,
606 above.
607
608 .sp
609 .LP
610 Create the file:
611
612 .sp
613 .in +2
614 .nf
615 # \fBmkfile 35m /export/home/test\fR
616 .fi
617 .in -2
618 .sp
619
620 .sp
621 .LP
622 Attach the file to a block device and specify that the file image is encrypted.
623 As a result of this command, you obtain the character device, which is
624 subsequently used by \fBnewfs\fR:
625
626 .sp
627 .in +2
628 .nf
629 # \fBlofiadm -c aes-256-cbc -a /export/home/secrets\fR
630 Enter passphrase: \fBMy-M0th3r;l0v3s_m3+4lw4ys!\fR (\fBnot echoed\fR)
631 Re-enter passphrase: \fBMy-M0th3r;l0v3s_m3+4lw4ys!\fR (\fBnot echoed\fR)
632 /dev/lofi/1
633
634 # \fBnewfs /dev/rlofi/1\fR
635 newfs: construct a new file system /dev/rlofi/1: (y/n)? \fBy\fR
636 /dev/rlofi/1: 71638 sectors in 119 cylinders of 1 tracks, 602 sectors
637 35.0MB in 8 cyl groups (16 c/g, 4.70MB/g, 2240 i/g)
638 super-block backups (for fsck -F ufs -o b=#) at:
639 32, 9664, 19296, 28928, 38560, 48192, 57824, 67456,
640 .fi
641 .in -2
642 .sp
643
644 .sp
645 .LP
646 The mapped file system shows that encryption is enabled:
647
648 .sp
649 .in +2
650 .nf
651 # \fBlofiadm\fR
652 Block Device File Options
653 /dev/lofi/1 /export/home/secrets Encrypted
654 .fi
655 .in -2
656 .sp
657
658 .sp
659 .LP
660 Mount and use the filesystem:
661
662 .sp
663 .in +2
664 .nf
665 # \fBmount /dev/lofi/1 /mnt\fR
666 # \fBcp moms_secret_*_recipe /mnt\fR
667 # \fBls /mnt\fR
668 \&./ moms_secret_cookie_recipe moms_secret_soup_recipe
669 \&../ moms_secret_fudge_recipe moms_secret_stuffing_recipe
670 lost+found/ moms_secret_meatloaf_recipe moms_secret_waffle_recipe
671 # \fBumount /mnt\fR
672 # \fBlofiadm -d /dev/lofi/1\fR
673 .fi
674 .in -2
675 .sp
676
677 .sp
678 .LP
679 Subsequent attempts to map the filesystem with the wrong key or the wrong
680 encryption algorithm will fail:
681
682 .sp
683 .in +2
684 .nf
685 # \fBlofiadm -c blowfish-cbc -a /export/home/secrets\fR
686 Enter passphrase: \fBmommy\fR (\fInot echoed\fR)
687 Re-enter passphrase: \fBmommy\fR (\fInot echoed\fR)
688 lofiadm: could not map file /root/lofi: Invalid argument
689 # \fBlofiadm\fR
690 Block Device File Options
691 #
692 .fi
693 .in -2
694 .sp
695
696 .sp
697 .LP
698 Attempts to map the filesystem without encryption will succeed, however
699 attempts to mount and use the filesystem will fail:
700
701 .sp
702 .in +2
703 .nf
704 # \fBlofiadm -a /export/home/secrets\fR
705 /dev/lofi/1
706 # \fBlofiadm\fR
707 Block Device File Options
708 /dev/lofi/1 /export/home/secrets -
709 # \fBmount /dev/lofi/1 /mnt\fR
710 mount: /dev/lofi/1 is not this fstype
711 #
712 .fi
713 .in -2
714 .sp
715
716 .SH ENVIRONMENT VARIABLES
717 .sp
718 .LP
719 See \fBenviron\fR(5) for descriptions of the following environment variables
720 that affect the execution of \fBlofiadm\fR: \fBLC_CTYPE\fR, \fBLC_MESSAGES\fR
721 and \fBNLSPATH\fR.
722 .SH EXIT STATUS
723 .sp
724 .LP
725 The following exit values are returned:
726 .sp
727 .ne 2
728 .na
729 \fB\fB0\fR\fR
730 .ad
731 .sp .6
732 .RS 4n
733 Successful completion.
734 .RE
735
736 .sp
737 .ne 2
738 .na
739 \fB\fB>0\fR\fR
740 .ad
741 .sp .6
742 .RS 4n
743 An error occurred.
744 .RE
745
746 .SH SEE ALSO
747 .sp
748 .LP
749 \fBfsck\fR(1M), \fBmount\fR(1M), \fBmount_ufs\fR(1M), \fBnewfs\fR(1M),
750 \fBattributes\fR(5), \fBlofi\fR(7D), \fBlofs\fR(7FS)
751 .SH NOTES
752 .sp
753 .LP
754 Just as you would not directly access a disk device that has mounted file
755 systems, you should not access a file associated with a block device except
756 through the \fBlofi\fR file driver. It might also be appropriate to ensure that
757 the file has appropriate permissions to prevent such access.
758 .sp
759 .LP
760 The abilities of \fBlofiadm\fR, and who can use them, are controlled by the
761 permissions of \fB/dev/lofictl\fR. Read-access allows query operations, such as
762 listing all the associations. Write-access is required to do any state-changing
763 operations, like adding an association. As shipped, \fB/dev/lofictl\fR is owned
764 by \fBroot\fR, in group \fBsys\fR, and mode \fB0644\fR, so all users can do
765 query operations but only root can change anything. The administrator can give
766 users write-access, allowing them to add or delete associations, but that is
767 very likely a security hole and should probably only be given to a trusted
768 group.
769 .sp
770 .LP
771 When mounting a filesystem image, take care to use appropriate mount options.
772 In particular, the \fBnosuid\fR mount option might be appropriate for \fBUFS\fR
773 images whose origin is unknown. Also, some options might not be useful or
774 appropriate, like \fBlogging\fR or \fBforcedirectio\fR for \fBUFS\fR. For
775 compatibility purposes, a raw device is also exported along with the block
776 device. For example, \fBnewfs\fR(1M) requires one.
777 .sp
778 .LP
779 The output of \fBlofiadm\fR (without arguments) might change in future
780 releases.