On 18.09.2007 16:28, Jeremy Katz wrote:
On Tue, 2007-09-18 at 10:35 +0200, Alexander Larsson wrote:
> On Fri, 2007-09-14 at 10:56 +0200, Thorsten Leemhuis wrote:
>> On 14.09.2007 10:17, Alexander Larsson wrote:
>>>> That's a fuse plugin correct? Uhm... fuse doesn't work out of
>>>> in Fedora currently. I _think_ we still ship fuse in such a way that
>>>> you have to manually take some action add users to the fuse group for
>>>> users that get to use fuse.
>>> Yes we do. And this is totally stupid and will cause pain in the future
>>> when all sorts of features (like gvfs) start using fuse. I have no idea
>>> why this was done, but it has to be fixed.
>> Thx for your kind words to your fellow Fedora developers, much
>> appreciated ;-) (¹)
>> I decided that -- but not alone. In fact IIRC I was urged by lots of
>> high-rank-Fedora-developers (including jeremy and someone from the
>> security team IIRC) to *not* ship fuse as a suid-binary for everyone, as
>> back then (in the early days when fuse hit the kernel) it was highly
>> unclear if the fuse userspace tools were safe enough.
>> If that has changed: sure, let's get rid of this extra burden with
>> adding the user to a special group. But that's up to the current
> If its not safe then wouldn't a better solution be to fix it or not
> ship/install it.
Making sure that things are safe is definitely the right thing to do.
suid but only group executable is purely a "start to get it in while not
making things less secure by default"
While at it maybe someone can explain something about fuse which I never
I got a new laptop three months ago. It came with Windows and thus a
NTFS partition which I only made smaller, but did not remove --
/dev/sda3 to be precise:
$ ls -l /dev/sda3
brw-r----- 1 root disk 8, 3 14. Sep 16:10 /dev/sda3
Okay, it's only read-writable for root and readable for "disk" -- a
group which I'm not part of:
Thus I'm not even able to read from it:
$ dd if=/dev/sda3 bs=512K count=1 | strings
dd: opening `/dev/sda3': Permission denied
Life sucks, but that's how things are supposed to be in linux/unix land
as far as I know. But well, for fuse there seem to exist different rules:
$ mkdir ntfs
$ /sbin/mount.ntfs-3g /dev/sda3 ntfs/
$ touch ntfs/foo
$ ls -l ntfs/foo
-rwxrwxrwx 1 thl thl 0 18. Sep 19:27 ntfs/foo
Which brings me to my questions: Can somebody please explain why the
above it working? Does it mean that if I write my own malicious
fuse.ext3 userspace driver that I can mount each and every block-device
on my system and read or modify the files on it (all by using fuse)?
What if there is a small error in mount.ntfs-3g somewhere -- could it be
abused to destroy a partition on my system while being a ordinary user?
Just wondering -- maybe I just don't understand the concept of fuse
(maybe I'm getting to old for this...). Or maybe there is a bug
somewhere in our packages and that above scenario works? Or a
side-effect of our "add to fuse-group strategy?