1 '\" te
2 .\" Copyright (c) 2016 Andrey Sokolov
3 .\" Copyright 2013 Nexenta Systems, Inc. All rights reserved.
4 .\" Copyright (c) 2008, Sun Microsystems, Inc. All Rights Reserved
5 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
6 .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with
7 .\" the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
8 .TH LOFIADM 1M "Aug 28, 2013"
9 .SH NAME
10 lofiadm \- administer files available as block devices through lofi
11 .SH SYNOPSIS
12 .LP
13 .nf
14 \fBlofiadm\fR [\fB-r\fR] \fB-a\fR \fIfile\fR [\fIdevice\fR]
15 .fi
16
17 .LP
18 .nf
19 \fBlofiadm\fR [\fB-r\fR] [\fB-o\fR] \fB-c\fR \fIcrypto_algorithm\fR \fB-a\fR \fIfile\fR [\fIdevice\fR]
20 .fi
21
22 .LP
23 .nf
24 \fBlofiadm\fR [\fB-r\fR] \fB-c\fR \fIcrypto_algorithm\fR \fB-k\fR \fIraw_key_file\fR \fB-a\fR \fIfile\fR [\fIdevice\fR]
25 .fi
26
27 .LP
28 .nf
29 \fBlofiadm\fR [\fB-r\fR] \fB-c\fR \fIcrypto_algorithm\fR \fB-T\fR \fItoken_key\fR \fB-a\fR \fIfile\fR [\fIdevice\fR]
30 .fi
31
32 .LP
33 .nf
34 \fBlofiadm\fR [\fB-r\fR] \fB-c\fR \fIcrypto_algorithm\fR \fB-T\fR \fItoken_key\fR
35 \fB-k\fR \fIwrapped_key_file\fR \fB-a\fR \fIfile\fR [\fIdevice\fR]
36 .fi
37
38 .LP
39 .nf
40 \fBlofiadm\fR [\fB-r\fR] \fB-c\fR \fIcrypto_algorithm\fR \fB-e\fR \fB-a\fR \fIfile\fR [\fIdevice\fR]
41 .fi
42
43 .LP
44 .nf
45 \fBlofiadm\fR \fB-C\fR \fIalgorithm\fR [\fB-s\fR \fIsegment_size\fR] \fIfile\fR
46 .fi
47
48 .LP
49 .nf
50 \fBlofiadm\fR \fB-d\fR \fIfile\fR | \fIdevice\fR
51 .fi
52
53 .LP
54 .nf
55 \fBlofiadm\fR \fB-U\fR \fIfile\fR
56 .fi
57
58 .LP
59 .nf
60 \fBlofiadm\fR [ \fIfile\fR | \fIdevice\fR]
61 .fi
62
63 .SH DESCRIPTION
64 .LP
65 \fBlofiadm\fR administers \fBlofi\fR, the loopback file driver. \fBlofi\fR
66 allows a file to be associated with a block device. That file can then be
67 accessed through the block device. This is useful when the file contains an
68 image of some filesystem (such as a floppy or \fBCD-ROM\fR image), because the
69 block device can then be used with the normal system utilities for mounting,
70 checking or repairing filesystems. See \fBfsck\fR(1M) and \fBmount\fR(1M).
71 .sp
72 .LP
73 Use \fBlofiadm\fR to add a file as a loopback device, remove such an
74 association, or print information about the current associations.
75 .sp
76 .LP
77 Encryption and compression options are mutually exclusive on the command line.
78 Further, an encrypted file cannot be compressed later, nor can a compressed
79 file be encrypted later.
80
81 In the global zone, \fBlofiadm\fR can be used on both the global
82 zone devices and all devices owned by other non-global zones on the system.
83 .sp
84 .SH OPTIONS
85 .LP
86 The following options are supported:
87 .sp
88 .ne 2
89 .na
90 \fB\fB-a\fR \fIfile\fR [\fIdevice\fR]\fR
91 .ad
92 .sp .6
93 .RS 4n
94 Add \fIfile\fR as a block device.
95 .sp
96 If \fIdevice\fR is not specified, an available device is picked.
97 .sp
98 If \fIdevice\fR is specified, \fBlofiadm\fR attempts to assign it to
99 \fIfile\fR. \fIdevice\fR must be available or \fBlofiadm\fR will fail. The
100 ability to specify a device is provided for use in scripts that wish to
101 reestablish a particular set of associations.
102 .RE
103
104 .sp
105 .ne 2
106 .na
107 \fB\fB-C\fR {\fIgzip\fR | \fIgzip-N\fR | \fIlzma\fR}\fR
108 .ad
109 .sp .6
110 .RS 4n
111 Compress the file with the specified compression algorithm.
112 .sp
113 The \fBgzip\fR compression algorithm uses the same compression as the
114 open-source \fBgzip\fR command. You can specify the \fBgzip\fR level by using
115 the value \fBgzip-\fR\fIN\fR where \fIN\fR is 6 (fast) or 9 (best compression
116 ratio). Currently, \fBgzip\fR, without a number, is equivalent to \fBgzip-6\fR
117 (which is also the default for the \fBgzip\fR command).
118 .sp
119 \fIlzma\fR stands for the LZMA (Lempel-Ziv-Markov) compression algorithm.
120 .sp
121 Note that you cannot write to a compressed file, nor can you mount a compressed
122 file read/write.
123 .RE
124
125 .sp
126 .ne 2
127 .na
128 \fB\fB-d\fR \fIfile\fR | \fIdevice\fR\fR
129 .ad
130 .sp .6
131 .RS 4n
132 Remove an association by \fIfile\fR or \fIdevice\fR name, if the associated
133 block device is not busy, and deallocates the block device.
134 .RE
135
136 .sp
137 .ne 2
138 .na
139 \fB\fB-o\fR
140 .ad
141 .sp .6
142 .RS 4n
143 If the \fB-o\fR option is specified lofiadm will prompt for a passphrase once.
144 .RE
145
146 .sp
147 .ne 2
148 .na
149 \fB\fB-r\fR
150 .ad
151 .sp .6
152 .RS 4n
153 If the \fB-r\fR option is specified before the \fB-a\fR option, the
154 \fIdevice\fR will be opened read-only.
155 .RE
156
157 .sp
158 .ne 2
159 .na
160 \fB\fB-s\fR \fIsegment_size\fR\fR
161 .ad
162 .sp .6
163 .RS 4n
164 The segment size to use to divide the file being compressed. \fIsegment_size\fR
165 can be an integer multiple of 512.
166 .RE
167
168 .sp
169 .ne 2
170 .na
171 \fB\fB-U\fR \fIfile\fR\fR
172 .ad
173 .sp .6
174 .RS 4n
175 Uncompress a compressed file.
176 .RE
177
178 .sp
179 .LP
180 The following options are used when the file is encrypted:
181 .sp
182 .ne 2
183 .na
184 \fB\fB-c\fR \fIcrypto_algorithm\fR\fR
185 .ad
186 .sp .6
187 .RS 4n
188 Select the encryption algorithm. The algorithm must be specified when
189 encryption is enabled because the algorithm is not stored in the disk image.
190 .sp
191 If none of \fB-e\fR, \fB-k\fR, or \fB-T\fR is specified, \fBlofiadm\fR prompts
192 for a passphrase, with a minimum length of eight characters, to be entered .
193 The passphrase is used to derive a symmetric encryption key using PKCS#5 PBKD2.
194 .RE
195
196 .sp
197 .ne 2
198 .na
199 \fB\fB-k\fR \fIraw_key_file\fR | \fIwrapped_key_file\fR\fR
200 .ad
201 .sp .6
202 .RS 4n
203 Path to raw or wrapped symmetric encryption key. If a PKCS#11 object is also
204 given with the \fB-T\fR option, then the key is wrapped by that object. If
205 \fB-T\fR is not specified, the key is used raw.
206 .RE
207
208 .sp
209 .ne 2
210 .na
211 \fB\fB-T\fR \fItoken_key\fR\fR
212 .ad
213 .sp .6
214 .RS 4n
215 The key in a PKCS#11 token to use for the encryption or for unwrapping the key
216 file.
217 .sp
218 If \fB-k\fR is also specified, \fB-T\fR identifies the unwrapping key, which
219 must be an RSA private key.
220 .RE
221
222 .sp
223 .ne 2
224 .na
225 \fB\fB-e\fR\fR
226 .ad
227 .sp .6
228 .RS 4n
229 Generate an ephemeral symmetric encryption key.
230 .RE
231
232 .SH OPERANDS
233 .LP
234 The following operands are supported:
235 .sp
236 .ne 2
237 .na
238 \fB\fIcrypto_algorithm\fR\fR
239 .ad
240 .sp .6
241 .RS 4n
242 One of: \fBaes-128-cbc\fR, \fBaes-192-cbc\fR, \fBaes-256-cbc\fR,
243 \fBdes3-cbc\fR, \fBblowfish-cbc\fR.
244 .RE
245
246 .sp
247 .ne 2
248 .na
249 \fB\fIdevice\fR\fR
250 .ad
251 .sp .6
252 .RS 4n
253 Display the file name associated with the block device \fIdevice\fR.
254 .sp
255 Without arguments, print a list of the current associations. Filenames must be
256 valid absolute pathnames.
257 .sp
258 When a file is added, it is opened for reading or writing by root. Any
259 restrictions apply (such as restricted root access over \fBNFS\fR). The file is
260 held open until the association is removed. It is not actually accessed until
261 the block device is used, so it will never be written to if the block device is
262 only opened read-only.
263
264 Note that the filename may appear as "?" if it is not possible to resolve the
265 path in the current context (for example, if it's an NFS path in a non-global
266 zone).
267 .RE
268
269 .sp
270 .ne 2
271 .na
272 \fB\fIfile\fR\fR
273 .ad
274 .sp .6
275 .RS 4n
276 Display the block device associated with \fIfile\fR.
277 .RE
278
279 .sp
280 .ne 2
281 .na
282 \fB\fIraw_key_file\fR\fR
283 .ad
284 .sp .6
285 .RS 4n
286 Path to a file of the appropriate length, in bits, to use as a raw symmetric
287 encryption key.
288 .RE
289
290 .sp
291 .ne 2
292 .na
293 \fB\fItoken_key\fR\fR
294 .ad
295 .sp .6
296 .RS 4n
297 PKCS#11 token object in the format:
298 .sp
299 .in +2
300 .nf
301 \fItoken_name\fR:\fImanufacturer_id\fR:\fIserial_number\fR:\fIkey_label\fR
302 .fi
303 .in -2
304 .sp
305
306 All but the key label are optional and can be empty. For example, to specify a
307 token object with only its key label \fBMylofiKey\fR, use:
308 .sp
309 .in +2
310 .nf
311 -T :::MylofiKey
312 .fi
313 .in -2
314 .sp
315
316 .RE
317
318 .sp
319 .ne 2
320 .na
321 \fB\fIwrapped_key_file\fR\fR
322 .ad
323 .sp .6
324 .RS 4n
325 Path to file containing a symmetric encryption key wrapped by the RSA private
326 key specified by \fB-T\fR.
327 .RE
328
329 .SH EXAMPLES
330 .LP
331 \fBExample 1 \fRMounting an Existing CD-ROM Image
332 .sp
333 .LP
334 You should ensure that Solaris understands the image before creating the
335 \fBCD\fR. \fBlofi\fR allows you to mount the image and see if it works.
336
337 .sp
338 .LP
339 This example mounts an existing \fBCD-ROM\fR image (\fBsparc.iso\fR), of the
340 \fBRed Hat 6.0 CD\fR which was downloaded from the Internet. It was created
341 with the \fBmkisofs\fR utility from the Internet.
342
343 .sp
344 .LP
345 Use \fBlofiadm\fR to attach a block device to it:
346
347 .sp
348 .in +2
349 .nf
350 # \fBlofiadm -a /home/mike_s/RH6.0/sparc.iso\fR
351 /dev/lofi/1
352 .fi
353 .in -2
354 .sp
355
356 .sp
357 .LP
358 \fBlofiadm\fR picks the device and prints the device name to the standard
359 output. You can run \fBlofiadm\fR again by issuing the following command:
360
361 .sp
362 .in +2
363 .nf
364 # \fBlofiadm\fR
365 Block Device File Options
366 /dev/lofi/1 /home/mike_s/RH6.0/sparc.iso -
367 .fi
368 .in -2
369 .sp
370
371 .sp
372 .LP
373 Or, you can give it one name and ask for the other, by issuing the following
374 command:
375
376 .sp
377 .in +2
378 .nf
379 # \fBlofiadm /dev/lofi/1\fR
380 /home/mike_s/RH6.0/sparc.iso
381 .fi
382 .in -2
383 .sp
384
385 .sp
386 .LP
387 Use the \fBmount\fR command to mount the image:
388
389 .sp
390 .in +2
391 .nf
392 # \fBmount -F hsfs -o ro /dev/lofi/1 /mnt\fR
393 .fi
394 .in -2
395 .sp
396
397 .sp
398 .LP
399 Check to ensure that Solaris understands the image:
400
401 .sp
402 .in +2
403 .nf
404 # \fBdf -k /mnt\fR
405 Filesystem kbytes used avail capacity Mounted on
406 /dev/lofi/1 512418 512418 0 100% /mnt
407 # \fBls /mnt\fR
408 \&./ RedHat/ doc/ ls-lR rr_moved/
409 \&../ TRANS.TBL dosutils/ ls-lR.gz sbin@
410 \&.buildlog bin@ etc@ misc/ tmp/
411 COPYING boot/ images/ mnt/ usr@
412 README boot.cat* kernels/ modules/
413 RPM-PGP-KEY dev@ lib@ proc/
414 .fi
415 .in -2
416 .sp
417
418 .sp
419 .LP
420 Solaris can mount the CD-ROM image, and understand the filenames. The image was
421 created properly, and you can now create the \fBCD-ROM\fR with confidence.
422
423 .sp
424 .LP
425 As a final step, unmount and detach the images:
426
427 .sp
428 .in +2
429 .nf
430 # \fBumount /mnt\fR
431 # \fBlofiadm -d /dev/lofi/1\fR
432 # \fBlofiadm\fR
433 Block Device File Options
434 .fi
435 .in -2
436 .sp
437
438 .LP
439 \fBExample 2 \fRMounting a Floppy Image
440 .sp
441 .LP
442 This is similar to the first example.
443
444 .sp
445 .LP
446 Using \fBlofi\fR to help you mount files that contain floppy images is helpful
447 if a floppy disk contains a file that you need, but the machine which you are
448 on does not have a floppy drive. It is also helpful if you do not want to take
449 the time to use the \fBdd\fR command to copy the image to a floppy.
450
451 .sp
452 .LP
453 This is an example of getting to \fBMDB\fR floppy for Solaris on an x86
454 platform:
455
456 .sp
457 .in +2
458 .nf
459 # \fBlofiadm -a /export/s28/MDB_s28x_wos/latest/boot.3\fR
460 /dev/lofi/1
461 # \fBmount -F pcfs /dev/lofi/1 /mnt\fR
462 # \fBls /mnt\fR
463 \&./ COMMENT.BAT* RC.D/ SOLARIS.MAP*
464 \&../ IDENT* REPLACE.BAT* X/
465 APPEND.BAT* MAKEDIR.BAT* SOLARIS/
466 # \fBumount /mnt\fR
467 # \fBlofiadm -d /export/s28/MDB_s28x_wos/latest/boot.3\fR
468 .fi
469 .in -2
470 .sp
471
472 .LP
473 \fBExample 3 \fRMaking a \fBUFS\fR Filesystem on a File
474 .sp
475 .LP
476 Making a \fBUFS\fR filesystem on a file can be useful, particularly if a test
477 suite requires a scratch filesystem. It can be painful (or annoying) to have to
478 repartition a disk just for the test suite, but you do not have to. You can
479 \fBnewfs\fR a file with \fBlofi\fR
480
481 .sp
482 .LP
483 Create the file:
484
485 .sp
486 .in +2
487 .nf
488 # \fBmkfile 35m /export/home/test\fR
489 .fi
490 .in -2
491 .sp
492
493 .sp
494 .LP
495 Attach it to a block device. You also get the character device that \fBnewfs\fR
496 requires, so \fBnewfs\fR that:
497
498 .sp
499 .in +2
500 .nf
501 # \fBlofiadm -a /export/home/test\fR
502 /dev/lofi/1
503 # \fBnewfs /dev/rlofi/1\fR
504 newfs: construct a new file system /dev/rlofi/1: (y/n)? \fBy\fR
505 /dev/rlofi/1: 71638 sectors in 119 cylinders of 1 tracks, 602 sectors
506 35.0MB in 8 cyl groups (16 c/g, 4.70MB/g, 2240 i/g)
507 super-block backups (for fsck -F ufs -o b=#) at:
508 32, 9664, 19296, 28928, 38560, 48192, 57824, 67456,
509 .fi
510 .in -2
511 .sp
512
513 .sp
514 .LP
515 Note that \fBufs\fR might not be able to use the entire file. Mount and use the
516 filesystem:
517
518 .sp
519 .in +2
520 .nf
521 # \fBmount /dev/lofi/1 /mnt\fR
522 # \fBdf -k /mnt\fR
523 Filesystem kbytes used avail capacity Mounted on
524 /dev/lofi/1 33455 9 30101 1% /mnt
525 # \fBls /mnt\fR
526 \&./ ../ lost+found/
527 # \fBumount /mnt\fR
528 # \fBlofiadm -d /dev/lofi/1\fR
529 .fi
530 .in -2
531 .sp
532
533 .LP
534 \fBExample 4 \fRCreating a PC (FAT) File System on a Unix File
535 .sp
536 .LP
537 The following series of commands creates a \fBFAT\fR file system on a Unix
538 file. The file is associated with a block device created by \fBlofiadm\fR.
539
540 .sp
541 .in +2
542 .nf
543 # \fBmkfile 10M /export/test/testfs\fR
544 # \fBlofiadm -a /export/test testfs\fR
545 /dev/lofi/1
546 \fBNote use of\fR rlofi\fB, not\fR lofi\fB, in following command.\fR
547 # \fBmkfs -F pcfs -o nofdisk,size=20480 /dev/rlofi/1\fR
548 \fBConstruct a new FAT file system on /dev/rlofi/1: (y/n)?\fR y
549 # \fBmount -F pcfs /dev/lofi/1 /mnt\fR
550 # \fBcd /mnt\fR
551 # \fBdf -k .\fR
552 Filesystem kbytes used avail capacity Mounted on
553 /dev/lofi/1 10142 0 10142 0% /mnt
554 .fi
555 .in -2
556 .sp
557
558 .LP
559 \fBExample 5 \fRCompressing an Existing CD-ROM Image
560 .sp
561 .LP
562 The following example illustrates compressing an existing CD-ROM image
563 (\fBsolaris.iso\fR), verifying that the image is compressed, and then
564 uncompressing it.
565
566 .sp
567 .in +2
568 .nf
569 # \fBlofiadm -C gzip /export/home/solaris.iso\fR
570 .fi
571 .in -2
572 .sp
573
574 .sp
575 .LP
576 Use \fBlofiadm\fR to attach a block device to it:
577
578 .sp
579 .in +2
580 .nf
581 # \fBlofiadm -a /export/home/solaris.iso\fR
582 /dev/lofi/1
583 .fi
584 .in -2
585 .sp
586
587 .sp
588 .LP
589 Check if the mapped image is compressed:
590
591 .sp
592 .in +2
593 .nf
594 # \fBlofiadm\fR
595 Block Device File Options
596 /dev/lofi/1 /export/home/solaris.iso Compressed(gzip)
597 /dev/lofi/2 /export/home/regular.iso -
598 .fi
599 .in -2
600 .sp
601
602 .sp
603 .LP
604 Unmap the compressed image and uncompress it:
605
606 .sp
607 .in +2
608 .nf
609 # \fBlofiadm -d /dev/lofi/1\fR
610 # \fBlofiadm -U /export/home/solaris.iso\fR
611 .fi
612 .in -2
613 .sp
614
615 .LP
616 \fBExample 6 \fRCreating an Encrypted UFS File System on a File
617 .sp
618 .LP
619 This example is similar to the example of making a UFS filesystem on a file,
620 above.
621
622 .sp
623 .LP
624 Create the file:
625
626 .sp
627 .in +2
628 .nf
629 # \fBmkfile 35m /export/home/test\fR
630 .fi
631 .in -2
632 .sp
633
634 .sp
635 .LP
636 Attach the file to a block device and specify that the file image is encrypted.
637 As a result of this command, you obtain the character device, which is
638 subsequently used by \fBnewfs\fR:
639
640 .sp
641 .in +2
642 .nf
643 # \fBlofiadm -c aes-256-cbc -a /export/home/secrets\fR
644 Enter passphrase: \fBMy-M0th3r;l0v3s_m3+4lw4ys!\fR (\fBnot echoed\fR)
645 Re-enter passphrase: \fBMy-M0th3r;l0v3s_m3+4lw4ys!\fR (\fBnot echoed\fR)
646 /dev/lofi/1
647
648 # \fBnewfs /dev/rlofi/1\fR
649 newfs: construct a new file system /dev/rlofi/1: (y/n)? \fBy\fR
650 /dev/rlofi/1: 71638 sectors in 119 cylinders of 1 tracks, 602 sectors
651 35.0MB in 8 cyl groups (16 c/g, 4.70MB/g, 2240 i/g)
652 super-block backups (for fsck -F ufs -o b=#) at:
653 32, 9664, 19296, 28928, 38560, 48192, 57824, 67456,
654 .fi
655 .in -2
656 .sp
657
658 .sp
659 .LP
660 The mapped file system shows that encryption is enabled:
661
662 .sp
663 .in +2
664 .nf
665 # \fBlofiadm\fR
666 Block Device File Options
667 /dev/lofi/1 /export/home/secrets Encrypted
668 .fi
669 .in -2
670 .sp
671
672 .sp
673 .LP
674 Mount and use the filesystem:
675
676 .sp
677 .in +2
678 .nf
679 # \fBmount /dev/lofi/1 /mnt\fR
680 # \fBcp moms_secret_*_recipe /mnt\fR
681 # \fBls /mnt\fR
682 \&./ moms_secret_cookie_recipe moms_secret_soup_recipe
683 \&../ moms_secret_fudge_recipe moms_secret_stuffing_recipe
684 lost+found/ moms_secret_meatloaf_recipe moms_secret_waffle_recipe
685 # \fBumount /mnt\fR
686 # \fBlofiadm -d /dev/lofi/1\fR
687 .fi
688 .in -2
689 .sp
690
691 .sp
692 .LP
693 Subsequent attempts to map the filesystem with the wrong key or the wrong
694 encryption algorithm will fail:
695
696 .sp
697 .in +2
698 .nf
699 # \fBlofiadm -c blowfish-cbc -a /export/home/secrets\fR
700 Enter passphrase: \fBmommy\fR (\fInot echoed\fR)
701 Re-enter passphrase: \fBmommy\fR (\fInot echoed\fR)
702 lofiadm: could not map file /root/lofi: Invalid argument
703 # \fBlofiadm\fR
704 Block Device File Options
705 #
706 .fi
707 .in -2
708 .sp
709
710 .sp
711 .LP
712 Attempts to map the filesystem without encryption will succeed, however
713 attempts to mount and use the filesystem will fail:
714
715 .sp
716 .in +2
717 .nf
718 # \fBlofiadm -a /export/home/secrets\fR
719 /dev/lofi/1
720 # \fBlofiadm\fR
721 Block Device File Options
722 /dev/lofi/1 /export/home/secrets -
723 # \fBmount /dev/lofi/1 /mnt\fR
724 mount: /dev/lofi/1 is not this fstype
725 #
726 .fi
727 .in -2
728 .sp
729
730 .SH ENVIRONMENT VARIABLES
731 .LP
732 See \fBenviron\fR(5) for descriptions of the following environment variables
733 that affect the execution of \fBlofiadm\fR: \fBLC_CTYPE\fR, \fBLC_MESSAGES\fR
734 and \fBNLSPATH\fR.
735 .SH EXIT STATUS
736 .LP
737 The following exit values are returned:
738 .sp
739 .ne 2
740 .na
741 \fB\fB0\fR\fR
742 .ad
743 .sp .6
744 .RS 4n
745 Successful completion.
746 .RE
747
748 .sp
749 .ne 2
750 .na
751 \fB\fB>0\fR\fR
752 .ad
753 .sp .6
754 .RS 4n
755 An error occurred.
756 .RE
757
758 .SH SEE ALSO
759 .LP
760 \fBfsck\fR(1M), \fBmount\fR(1M), \fBmount_ufs\fR(1M), \fBnewfs\fR(1M),
761 \fBattributes\fR(5), \fBlofi\fR(7D), \fBlofs\fR(7FS)
762 .SH NOTES
763 .LP
764 Just as you would not directly access a disk device that has mounted file
765 systems, you should not access a file associated with a block device except
766 through the \fBlofi\fR file driver. It might also be appropriate to ensure that
767 the file has appropriate permissions to prevent such access.
768 .sp
769 .LP
770 The abilities of \fBlofiadm\fR, and who can use them, are controlled by the
771 permissions of \fB/dev/lofictl\fR. Read-access allows query operations, such as
772 listing all the associations. Write-access is required to do any state-changing
773 operations, like adding an association. As shipped, \fB/dev/lofictl\fR is owned
774 by \fBroot\fR, in group \fBsys\fR, and mode \fB0644\fR, so all users can do
775 query operations but only root can change anything. The administrator can give
776 users write-access, allowing them to add or delete associations, but that is
777 very likely a security hole and should probably only be given to a trusted
778 group.
779 .sp
780 .LP
781 When mounting a filesystem image, take care to use appropriate mount options.
782 In particular, the \fBnosuid\fR mount option might be appropriate for \fBUFS\fR
783 images whose origin is unknown. Also, some options might not be useful or
784 appropriate, like \fBlogging\fR or \fBforcedirectio\fR for \fBUFS\fR. For
785 compatibility purposes, a raw device is also exported along with the block
786 device. For example, \fBnewfs\fR(1M) requires one.
787 .sp
788 .LP
789 The output of \fBlofiadm\fR (without arguments) might change in future
790 releases.