1 '\" te
2 .\" Copyright 2013 Nexenta Systems, Inc. All rights reserved.
3 .\" Copyright (c) 2008, Sun Microsystems, Inc. All Rights Reserved
4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
5 .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with
6 .\" the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
7 .TH LOFIADM 1M "Aug 28, 2013"
8 .SH NAME
9 lofiadm \- administer files available as block devices through lofi
10 .SH SYNOPSIS
11 .LP
12 .nf
13 \fBlofiadm\fR [\fB-r\fR] \fB-a\fR \fIfile\fR [\fIdevice\fR]
14 .fi
15
16 .LP
17 .nf
18 \fBlofiadm\fR [\fB-r\fR] \fB-c\fR \fIcrypto_algorithm\fR \fB-a\fR \fIfile\fR [\fIdevice\fR]
19 .fi
20
21 .LP
22 .nf
23 \fBlofiadm\fR [\fB-r\fR] \fB-c\fR \fIcrypto_algorithm\fR \fB-k\fR \fIraw_key_file\fR \fB-a\fR \fIfile\fR [\fIdevice\fR]
24 .fi
25
26 .LP
27 .nf
28 \fBlofiadm\fR [\fB-r\fR] \fB-c\fR \fIcrypto_algorithm\fR \fB-T\fR \fItoken_key\fR \fB-a\fR \fIfile\fR [\fIdevice\fR]
29 .fi
30
31 .LP
32 .nf
33 \fBlofiadm\fR [\fB-r\fR] \fB-c\fR \fIcrypto_algorithm\fR \fB-T\fR \fItoken_key\fR
34 \fB-k\fR \fIwrapped_key_file\fR \fB-a\fR \fIfile\fR [\fIdevice\fR]
35 .fi
36
37 .LP
38 .nf
39 \fBlofiadm\fR [\fB-r\fR] \fB-c\fR \fIcrypto_algorithm\fR \fB-e\fR \fB-a\fR \fIfile\fR [\fIdevice\fR]
40 .fi
41
42 .LP
43 .nf
44 \fBlofiadm\fR \fB-C\fR \fIalgorithm\fR [\fB-s\fR \fIsegment_size\fR] \fIfile\fR
45 .fi
46
47 .LP
48 .nf
49 \fBlofiadm\fR \fB-d\fR \fIfile\fR | \fIdevice\fR
50 .fi
51
52 .LP
53 .nf
54 \fBlofiadm\fR \fB-U\fR \fIfile\fR
55 .fi
56
57 .LP
58 .nf
59 \fBlofiadm\fR [ \fIfile\fR | \fIdevice\fR]
60 .fi
61
62 .SH DESCRIPTION
63 .sp
64 .LP
65 \fBlofiadm\fR administers \fBlofi\fR, the loopback file driver. \fBlofi\fR
66 allows a file to be associated with a block device. That file can then be
67 accessed through the block device. This is useful when the file contains an
68 image of some filesystem (such as a floppy or \fBCD-ROM\fR image), because the
69 block device can then be used with the normal system utilities for mounting,
70 checking or repairing filesystems. See \fBfsck\fR(1M) and \fBmount\fR(1M).
71 .sp
72 .LP
73 Use \fBlofiadm\fR to add a file as a loopback device, remove such an
74 association, or print information about the current associations.
75 .sp
76 .LP
77 Encryption and compression options are mutually exclusive on the command line.
78 Further, an encrypted file cannot be compressed later, nor can a compressed
79 file be encrypted later.
80
81 In the global zone, \fBlofiadm\fR can be used on both the global
82 zone devices and all devices owned by other non-global zones on the system.
83 .sp
84 .LP
85 .SH OPTIONS
86 .sp
87 .LP
88 The following options are supported:
89 .sp
90 .ne 2
91 .na
92 \fB\fB-a\fR \fIfile\fR [\fIdevice\fR]\fR
93 .ad
94 .sp .6
95 .RS 4n
96 Add \fIfile\fR as a block device.
97 .sp
98 If \fIdevice\fR is not specified, an available device is picked.
99 .sp
100 If \fIdevice\fR is specified, \fBlofiadm\fR attempts to assign it to
101 \fIfile\fR. \fIdevice\fR must be available or \fBlofiadm\fR will fail. The
102 ability to specify a device is provided for use in scripts that wish to
103 reestablish a particular set of associations.
104 .RE
105
106 .sp
107 .ne 2
108 .na
109 \fB\fB-C\fR {\fIgzip\fR | \fIgzip-N\fR | \fIlzma\fR}\fR
110 .ad
111 .sp .6
112 .RS 4n
113 Compress the file with the specified compression algorithm.
114 .sp
115 The \fBgzip\fR compression algorithm uses the same compression as the
116 open-source \fBgzip\fR command. You can specify the \fBgzip\fR level by using
117 the value \fBgzip-\fR\fIN\fR where \fIN\fR is 6 (fast) or 9 (best compression
118 ratio). Currently, \fBgzip\fR, without a number, is equivalent to \fBgzip-6\fR
119 (which is also the default for the \fBgzip\fR command).
120 .sp
121 \fIlzma\fR stands for the LZMA (Lempel-Ziv-Markov) compression algorithm.
122 .sp
123 Note that you cannot write to a compressed file, nor can you mount a compressed
124 file read/write.
125 .RE
126
127 .sp
128 .ne 2
129 .na
130 \fB\fB-d\fR \fIfile\fR | \fIdevice\fR\fR
131 .ad
132 .sp .6
133 .RS 4n
134 Remove an association by \fIfile\fR or \fIdevice\fR name, if the associated
135 block device is not busy, and deallocates the block device.
136 .RE
137
138 .sp
139 .ne 2
140 .na
141 \fB\fB-r\fR
142 .ad
143 .sp .6
144 .RS 4n
145 If the \fB-r\fR option is specified before the \fB-a\fR option, the
146 \fIdevice\fR will be opened read-only.
147 .RE
148
149 .sp
150 .ne 2
151 .na
152 \fB\fB-s\fR \fIsegment_size\fR\fR
153 .ad
154 .sp .6
155 .RS 4n
156 The segment size to use to divide the file being compressed. \fIsegment_size\fR
157 can be an integer multiple of 512.
158 .RE
159
160 .sp
161 .ne 2
162 .na
163 \fB\fB-U\fR \fIfile\fR\fR
164 .ad
165 .sp .6
166 .RS 4n
167 Uncompress a compressed file.
168 .RE
169
170 .sp
171 .LP
172 The following options are used when the file is encrypted:
173 .sp
174 .ne 2
175 .na
176 \fB\fB-c\fR \fIcrypto_algorithm\fR\fR
177 .ad
178 .sp .6
179 .RS 4n
180 Select the encryption algorithm. The algorithm must be specified when
181 encryption is enabled because the algorithm is not stored in the disk image.
182 .sp
183 If none of \fB-e\fR, \fB-k\fR, or \fB-T\fR is specified, \fBlofiadm\fR prompts
184 for a passphrase, with a minimum length of eight characters, to be entered .
185 The passphrase is used to derive a symmetric encryption key using PKCS#5 PBKD2.
186 .RE
187
188 .sp
189 .ne 2
190 .na
191 \fB\fB-k\fR \fIraw_key_file\fR | \fIwrapped_key_file\fR\fR
192 .ad
193 .sp .6
194 .RS 4n
195 Path to raw or wrapped symmetric encryption key. If a PKCS#11 object is also
196 given with the \fB-T\fR option, then the key is wrapped by that object. If
197 \fB-T\fR is not specified, the key is used raw.
198 .RE
199
200 .sp
201 .ne 2
202 .na
203 \fB\fB-T\fR \fItoken_key\fR\fR
204 .ad
205 .sp .6
206 .RS 4n
207 The key in a PKCS#11 token to use for the encryption or for unwrapping the key
208 file.
209 .sp
210 If \fB-k\fR is also specified, \fB-T\fR identifies the unwrapping key, which
211 must be an RSA private key.
212 .RE
213
214 .sp
215 .ne 2
216 .na
217 \fB\fB-e\fR\fR
218 .ad
219 .sp .6
220 .RS 4n
221 Generate an ephemeral symmetric encryption key.
222 .RE
223
224 .SH OPERANDS
225 .sp
226 .LP
227 The following operands are supported:
228 .sp
229 .ne 2
230 .na
231 \fB\fIcrypto_algorithm\fR\fR
232 .ad
233 .sp .6
234 .RS 4n
235 One of: \fBaes-128-cbc\fR, \fBaes-192-cbc\fR, \fBaes-256-cbc\fR,
236 \fBdes3-cbc\fR, \fBblowfish-cbc\fR.
237 .RE
238
239 .sp
240 .ne 2
241 .na
242 \fB\fIdevice\fR\fR
243 .ad
244 .sp .6
245 .RS 4n
246 Display the file name associated with the block device \fIdevice\fR.
247 .sp
248 Without arguments, print a list of the current associations. Filenames must be
249 valid absolute pathnames.
250 .sp
251 When a file is added, it is opened for reading or writing by root. Any
252 restrictions apply (such as restricted root access over \fBNFS\fR). The file is
253 held open until the association is removed. It is not actually accessed until
254 the block device is used, so it will never be written to if the block device is
255 only opened read-only.
256
257 Note that the filename may appear as "?" if it is not possible to resolve the
258 path in the current context (for example, if it's an NFS path in a non-global
259 zone).
260 .RE
261
262 .sp
263 .ne 2
264 .na
265 \fB\fIfile\fR\fR
266 .ad
267 .sp .6
268 .RS 4n
269 Display the block device associated with \fIfile\fR.
270 .RE
271
272 .sp
273 .ne 2
274 .na
275 \fB\fIraw_key_file\fR\fR
276 .ad
277 .sp .6
278 .RS 4n
279 Path to a file of the appropriate length, in bits, to use as a raw symmetric
280 encryption key.
281 .RE
282
283 .sp
284 .ne 2
285 .na
286 \fB\fItoken_key\fR\fR
287 .ad
288 .sp .6
289 .RS 4n
290 PKCS#11 token object in the format:
291 .sp
292 .in +2
293 .nf
294 \fItoken_name\fR:\fImanufacturer_id\fR:\fIserial_number\fR:\fIkey_label\fR
295 .fi
296 .in -2
297 .sp
298
299 All but the key label are optional and can be empty. For example, to specify a
300 token object with only its key label \fBMylofiKey\fR, use:
301 .sp
302 .in +2
303 .nf
304 -T :::MylofiKey
305 .fi
306 .in -2
307 .sp
308
309 .RE
310
311 .sp
312 .ne 2
313 .na
314 \fB\fIwrapped_key_file\fR\fR
315 .ad
316 .sp .6
317 .RS 4n
318 Path to file containing a symmetric encryption key wrapped by the RSA private
319 key specified by \fB-T\fR.
320 .RE
321
322 .SH EXAMPLES
323 .LP
324 \fBExample 1 \fRMounting an Existing CD-ROM Image
325 .sp
326 .LP
327 You should ensure that Solaris understands the image before creating the
328 \fBCD\fR. \fBlofi\fR allows you to mount the image and see if it works.
329
330 .sp
331 .LP
332 This example mounts an existing \fBCD-ROM\fR image (\fBsparc.iso\fR), of the
333 \fBRed Hat 6.0 CD\fR which was downloaded from the Internet. It was created
334 with the \fBmkisofs\fR utility from the Internet.
335
336 .sp
337 .LP
338 Use \fBlofiadm\fR to attach a block device to it:
339
340 .sp
341 .in +2
342 .nf
343 # \fBlofiadm -a /home/mike_s/RH6.0/sparc.iso\fR
344 /dev/lofi/1
345 .fi
346 .in -2
347 .sp
348
349 .sp
350 .LP
351 \fBlofiadm\fR picks the device and prints the device name to the standard
352 output. You can run \fBlofiadm\fR again by issuing the following command:
353
354 .sp
355 .in +2
356 .nf
357 # \fBlofiadm\fR
358 Block Device File Options
359 /dev/lofi/1 /home/mike_s/RH6.0/sparc.iso -
360 .fi
361 .in -2
362 .sp
363
364 .sp
365 .LP
366 Or, you can give it one name and ask for the other, by issuing the following
367 command:
368
369 .sp
370 .in +2
371 .nf
372 # \fBlofiadm /dev/lofi/1\fR
373 /home/mike_s/RH6.0/sparc.iso
374 .fi
375 .in -2
376 .sp
377
378 .sp
379 .LP
380 Use the \fBmount\fR command to mount the image:
381
382 .sp
383 .in +2
384 .nf
385 # \fBmount -F hsfs -o ro /dev/lofi/1 /mnt\fR
386 .fi
387 .in -2
388 .sp
389
390 .sp
391 .LP
392 Check to ensure that Solaris understands the image:
393
394 .sp
395 .in +2
396 .nf
397 # \fBdf -k /mnt\fR
398 Filesystem kbytes used avail capacity Mounted on
399 /dev/lofi/1 512418 512418 0 100% /mnt
400 # \fBls /mnt\fR
401 \&./ RedHat/ doc/ ls-lR rr_moved/
402 \&../ TRANS.TBL dosutils/ ls-lR.gz sbin@
403 \&.buildlog bin@ etc@ misc/ tmp/
404 COPYING boot/ images/ mnt/ usr@
405 README boot.cat* kernels/ modules/
406 RPM-PGP-KEY dev@ lib@ proc/
407 .fi
408 .in -2
409 .sp
410
411 .sp
412 .LP
413 Solaris can mount the CD-ROM image, and understand the filenames. The image was
414 created properly, and you can now create the \fBCD-ROM\fR with confidence.
415
416 .sp
417 .LP
418 As a final step, unmount and detach the images:
419
420 .sp
421 .in +2
422 .nf
423 # \fBumount /mnt\fR
424 # \fBlofiadm -d /dev/lofi/1\fR
425 # \fBlofiadm\fR
426 Block Device File Options
427 .fi
428 .in -2
429 .sp
430
431 .LP
432 \fBExample 2 \fRMounting a Floppy Image
433 .sp
434 .LP
435 This is similar to the first example.
436
437 .sp
438 .LP
439 Using \fBlofi\fR to help you mount files that contain floppy images is helpful
440 if a floppy disk contains a file that you need, but the machine which you are
441 on does not have a floppy drive. It is also helpful if you do not want to take
442 the time to use the \fBdd\fR command to copy the image to a floppy.
443
444 .sp
445 .LP
446 This is an example of getting to \fBMDB\fR floppy for Solaris on an x86
447 platform:
448
449 .sp
450 .in +2
451 .nf
452 # \fBlofiadm -a /export/s28/MDB_s28x_wos/latest/boot.3\fR
453 /dev/lofi/1
454 # \fBmount -F pcfs /dev/lofi/1 /mnt\fR
455 # \fBls /mnt\fR
456 \&./ COMMENT.BAT* RC.D/ SOLARIS.MAP*
457 \&../ IDENT* REPLACE.BAT* X/
458 APPEND.BAT* MAKEDIR.BAT* SOLARIS/
459 # \fBumount /mnt\fR
460 # \fBlofiadm -d /export/s28/MDB_s28x_wos/latest/boot.3\fR
461 .fi
462 .in -2
463 .sp
464
465 .LP
466 \fBExample 3 \fRMaking a \fBUFS\fR Filesystem on a File
467 .sp
468 .LP
469 Making a \fBUFS\fR filesystem on a file can be useful, particularly if a test
470 suite requires a scratch filesystem. It can be painful (or annoying) to have to
471 repartition a disk just for the test suite, but you do not have to. You can
472 \fBnewfs\fR a file with \fBlofi\fR
473
474 .sp
475 .LP
476 Create the file:
477
478 .sp
479 .in +2
480 .nf
481 # \fBmkfile 35m /export/home/test\fR
482 .fi
483 .in -2
484 .sp
485
486 .sp
487 .LP
488 Attach it to a block device. You also get the character device that \fBnewfs\fR
489 requires, so \fBnewfs\fR that:
490
491 .sp
492 .in +2
493 .nf
494 # \fBlofiadm -a /export/home/test\fR
495 /dev/lofi/1
496 # \fBnewfs /dev/rlofi/1\fR
497 newfs: construct a new file system /dev/rlofi/1: (y/n)? \fBy\fR
498 /dev/rlofi/1: 71638 sectors in 119 cylinders of 1 tracks, 602 sectors
499 35.0MB in 8 cyl groups (16 c/g, 4.70MB/g, 2240 i/g)
500 super-block backups (for fsck -F ufs -o b=#) at:
501 32, 9664, 19296, 28928, 38560, 48192, 57824, 67456,
502 .fi
503 .in -2
504 .sp
505
506 .sp
507 .LP
508 Note that \fBufs\fR might not be able to use the entire file. Mount and use the
509 filesystem:
510
511 .sp
512 .in +2
513 .nf
514 # \fBmount /dev/lofi/1 /mnt\fR
515 # \fBdf -k /mnt\fR
516 Filesystem kbytes used avail capacity Mounted on
517 /dev/lofi/1 33455 9 30101 1% /mnt
518 # \fBls /mnt\fR
519 \&./ ../ lost+found/
520 # \fBumount /mnt\fR
521 # \fBlofiadm -d /dev/lofi/1\fR
522 .fi
523 .in -2
524 .sp
525
526 .LP
527 \fBExample 4 \fRCreating a PC (FAT) File System on a Unix File
528 .sp
529 .LP
530 The following series of commands creates a \fBFAT\fR file system on a Unix
531 file. The file is associated with a block device created by \fBlofiadm\fR.
532
533 .sp
534 .in +2
535 .nf
536 # \fBmkfile 10M /export/test/testfs\fR
537 # \fBlofiadm -a /export/test testfs\fR
538 /dev/lofi/1
539 \fBNote use of\fR rlofi\fB, not\fR lofi\fB, in following command.\fR
540 # \fBmkfs -F pcfs -o nofdisk,size=20480 /dev/rlofi/1\fR
541 \fBConstruct a new FAT file system on /dev/rlofi/1: (y/n)?\fR y
542 # \fBmount -F pcfs /dev/lofi/1 /mnt\fR
543 # \fBcd /mnt\fR
544 # \fBdf -k .\fR
545 Filesystem kbytes used avail capacity Mounted on
546 /dev/lofi/1 10142 0 10142 0% /mnt
547 .fi
548 .in -2
549 .sp
550
551 .LP
552 \fBExample 5 \fRCompressing an Existing CD-ROM Image
553 .sp
554 .LP
555 The following example illustrates compressing an existing CD-ROM image
556 (\fBsolaris.iso\fR), verifying that the image is compressed, and then
557 uncompressing it.
558
559 .sp
560 .in +2
561 .nf
562 # \fBlofiadm -C gzip /export/home/solaris.iso\fR
563 .fi
564 .in -2
565 .sp
566
567 .sp
568 .LP
569 Use \fBlofiadm\fR to attach a block device to it:
570
571 .sp
572 .in +2
573 .nf
574 # \fBlofiadm -a /export/home/solaris.iso\fR
575 /dev/lofi/1
576 .fi
577 .in -2
578 .sp
579
580 .sp
581 .LP
582 Check if the mapped image is compressed:
583
584 .sp
585 .in +2
586 .nf
587 # \fBlofiadm\fR
588 Block Device File Options
589 /dev/lofi/1 /export/home/solaris.iso Compressed(gzip)
590 /dev/lofi/2 /export/home/regular.iso -
591 .fi
592 .in -2
593 .sp
594
595 .sp
596 .LP
597 Unmap the compressed image and uncompress it:
598
599 .sp
600 .in +2
601 .nf
602 # \fBlofiadm -d /dev/lofi/1\fR
603 # \fBlofiadm -U /export/home/solaris.iso\fR
604 .fi
605 .in -2
606 .sp
607
608 .LP
609 \fBExample 6 \fRCreating an Encrypted UFS File System on a File
610 .sp
611 .LP
612 This example is similar to the example of making a UFS filesystem on a file,
613 above.
614
615 .sp
616 .LP
617 Create the file:
618
619 .sp
620 .in +2
621 .nf
622 # \fBmkfile 35m /export/home/test\fR
623 .fi
624 .in -2
625 .sp
626
627 .sp
628 .LP
629 Attach the file to a block device and specify that the file image is encrypted.
630 As a result of this command, you obtain the character device, which is
631 subsequently used by \fBnewfs\fR:
632
633 .sp
634 .in +2
635 .nf
636 # \fBlofiadm -c aes-256-cbc -a /export/home/secrets\fR
637 Enter passphrase: \fBMy-M0th3r;l0v3s_m3+4lw4ys!\fR (\fBnot echoed\fR)
638 Re-enter passphrase: \fBMy-M0th3r;l0v3s_m3+4lw4ys!\fR (\fBnot echoed\fR)
639 /dev/lofi/1
640
641 # \fBnewfs /dev/rlofi/1\fR
642 newfs: construct a new file system /dev/rlofi/1: (y/n)? \fBy\fR
643 /dev/rlofi/1: 71638 sectors in 119 cylinders of 1 tracks, 602 sectors
644 35.0MB in 8 cyl groups (16 c/g, 4.70MB/g, 2240 i/g)
645 super-block backups (for fsck -F ufs -o b=#) at:
646 32, 9664, 19296, 28928, 38560, 48192, 57824, 67456,
647 .fi
648 .in -2
649 .sp
650
651 .sp
652 .LP
653 The mapped file system shows that encryption is enabled:
654
655 .sp
656 .in +2
657 .nf
658 # \fBlofiadm\fR
659 Block Device File Options
660 /dev/lofi/1 /export/home/secrets Encrypted
661 .fi
662 .in -2
663 .sp
664
665 .sp
666 .LP
667 Mount and use the filesystem:
668
669 .sp
670 .in +2
671 .nf
672 # \fBmount /dev/lofi/1 /mnt\fR
673 # \fBcp moms_secret_*_recipe /mnt\fR
674 # \fBls /mnt\fR
675 \&./ moms_secret_cookie_recipe moms_secret_soup_recipe
676 \&../ moms_secret_fudge_recipe moms_secret_stuffing_recipe
677 lost+found/ moms_secret_meatloaf_recipe moms_secret_waffle_recipe
678 # \fBumount /mnt\fR
679 # \fBlofiadm -d /dev/lofi/1\fR
680 .fi
681 .in -2
682 .sp
683
684 .sp
685 .LP
686 Subsequent attempts to map the filesystem with the wrong key or the wrong
687 encryption algorithm will fail:
688
689 .sp
690 .in +2
691 .nf
692 # \fBlofiadm -c blowfish-cbc -a /export/home/secrets\fR
693 Enter passphrase: \fBmommy\fR (\fInot echoed\fR)
694 Re-enter passphrase: \fBmommy\fR (\fInot echoed\fR)
695 lofiadm: could not map file /root/lofi: Invalid argument
696 # \fBlofiadm\fR
697 Block Device File Options
698 #
699 .fi
700 .in -2
701 .sp
702
703 .sp
704 .LP
705 Attempts to map the filesystem without encryption will succeed, however
706 attempts to mount and use the filesystem will fail:
707
708 .sp
709 .in +2
710 .nf
711 # \fBlofiadm -a /export/home/secrets\fR
712 /dev/lofi/1
713 # \fBlofiadm\fR
714 Block Device File Options
715 /dev/lofi/1 /export/home/secrets -
716 # \fBmount /dev/lofi/1 /mnt\fR
717 mount: /dev/lofi/1 is not this fstype
718 #
719 .fi
720 .in -2
721 .sp
722
723 .SH ENVIRONMENT VARIABLES
724 .sp
725 .LP
726 See \fBenviron\fR(5) for descriptions of the following environment variables
727 that affect the execution of \fBlofiadm\fR: \fBLC_CTYPE\fR, \fBLC_MESSAGES\fR
728 and \fBNLSPATH\fR.
729 .SH EXIT STATUS
730 .sp
731 .LP
732 The following exit values are returned:
733 .sp
734 .ne 2
735 .na
736 \fB\fB0\fR\fR
737 .ad
738 .sp .6
739 .RS 4n
740 Successful completion.
741 .RE
742
743 .sp
744 .ne 2
745 .na
746 \fB\fB>0\fR\fR
747 .ad
748 .sp .6
749 .RS 4n
750 An error occurred.
751 .RE
752
753 .SH SEE ALSO
754 .sp
755 .LP
756 \fBfsck\fR(1M), \fBmount\fR(1M), \fBmount_ufs\fR(1M), \fBnewfs\fR(1M),
757 \fBattributes\fR(5), \fBlofi\fR(7D), \fBlofs\fR(7FS)
758 .SH NOTES
759 .sp
760 .LP
761 Just as you would not directly access a disk device that has mounted file
762 systems, you should not access a file associated with a block device except
763 through the \fBlofi\fR file driver. It might also be appropriate to ensure that
764 the file has appropriate permissions to prevent such access.
765 .sp
766 .LP
767 The abilities of \fBlofiadm\fR, and who can use them, are controlled by the
768 permissions of \fB/dev/lofictl\fR. Read-access allows query operations, such as
769 listing all the associations. Write-access is required to do any state-changing
770 operations, like adding an association. As shipped, \fB/dev/lofictl\fR is owned
771 by \fBroot\fR, in group \fBsys\fR, and mode \fB0644\fR, so all users can do
772 query operations but only root can change anything. The administrator can give
773 users write-access, allowing them to add or delete associations, but that is
774 very likely a security hole and should probably only be given to a trusted
775 group.
776 .sp
777 .LP
778 When mounting a filesystem image, take care to use appropriate mount options.
779 In particular, the \fBnosuid\fR mount option might be appropriate for \fBUFS\fR
780 images whose origin is unknown. Also, some options might not be useful or
781 appropriate, like \fBlogging\fR or \fBforcedirectio\fR for \fBUFS\fR. For
782 compatibility purposes, a raw device is also exported along with the block
783 device. For example, \fBnewfs\fR(1M) requires one.
784 .sp
785 .LP
786 The output of \fBlofiadm\fR (without arguments) might change in future
787 releases.