From: Jamie Lokier <jamie@shareable.org>
To: Miklos Szeredi <miklos@szeredi.hu>
Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
hch@infradead.org, akpm@osdl.org,
viro@parcelfarce.linux.theplanet.co.uk
Subject: Re: [RFC] FUSE permission modell (Was: fuse review bits)
Date: Mon, 11 Apr 2005 19:22:57 +0100 [thread overview]
Message-ID: <20050411182257.GC32535@mail.shareable.org> (raw)
In-Reply-To: <E1DL08S-0008UH-00@dorka.pomaz.szeredi.hu>
Miklos Szeredi wrote:
> 1) User must not be able to modify files or directories in a way
> which he otherwise could not do (e.g. mount a filesystem over
> /bin)
>
> 2) Suid and device semantics should be disabled within the mount
>
> 3) No other user should have access to files under the mount, not
> even root[5]
Why? I can see plenty of uses where I want a filesystem generated by
one user to be accessible by other users. That policy should not be
hard-coded into the kernel. It might be an option.
> 4) Access should not be further restricted for the owner of the
> mount, even if permission bits, uid or gid would suggest
> otherwise
Why? Surely you want to prevent writing to files which don't have the
writable bit set? A filesystem may also create append-only files -
and all users including the mount owner should be bound by that.
> 5) As much of the available information should be exported via the
> filesystem as possible
This is the root of the conflict. You are trying to overload the
permission bits and uid/gid to mean something different than they
normally do.
While it's convenient to see some "remote" information such as the
uid/gid in a tar file, are you sure it's a good idea to break the unix
permissions model - which will break some programs? (For example, try
editing a file with the broken semantics in an editor which checks the
uid/gid of the file against the current user).
For most virtual filesystems, the "remote" information does not map to
uid/gid in a particularly natural way anyway. So it seems odd to want
to break the unix permissions model just so that a small _subset_ of
virtual filesystems can use stat() as a way to get a bit of
information out, when other virtual filesystems (e.g. webdavfs) can't
put meaningful information in there, and would benefit from normal
unix permissions instead.
> 1) Only allow mount over a directory for which the user has write
> access (and is not sticky)
Seems good - but why not sticky? Mounting a user filesystem in
/tmp/user-xxx/my-mount-point seems not unreasonable - provided the
administrator can delete the directory (which is possible with
detachable mount points).
> 2) Use nosuid,nodev mount options
Of course. Ideally, make sure they appear to be set in /proc/mounts.
(root (or equivalent) should be able to create virtual filesystems
without these options, but probably they should be set by default even
for root, and clearable using suid,dev).
> 3) In permission method of FUSE kernel module compare fsuid against
> mounting user's ID, and return EACCES if they are not equal.
Bad. How do I, user A, then create a virtual filesystem which I want
user B to be able to access?
> 4) The filesystem daemon does not run with elevated permissions.
> The kernel doesn't check file more in the permission method.
I like the idea that the fs daemon doesn't need elevated permissions.
> 5) The filesystem daemon is free to fill in all file attributes to
> any (sane) value, and the kernel won't modify these.
Dangerous, because an administrative program might actually trust the
attributes to mean what they normally mean in the unix permissions model.
> The debated part is 3) and 4), namely that normal permission checking
> based on file mode is bypassed, and the mounting user has full
> permission to all files, while other users have none.
>
> This feature has been in FUSE from the start and thus has been very
> well tested in real world scenarios. Also I have thought a lot about
> how this could pose any kind of security threat, and as yet found no
> such possiblity.
Ok, but why do you prevent the useful behaviour of allowing access to
other users, when I want that? For example, I might export my current
project's database as a filesystem that I _want_ other users to be
able to read.
> Despite this Christoph feels this behavior is unacceptable for a
> filesystem, and wants me to remove this feature before merging FUSE
> into mainline. I try to be open to ideas, but also feel strongly that
> this is the Right Way, so I won't give up easily.
I agree with Christoph. It is a huge deviation from the unix
permissions model -- and it seems to prevent some useful applications
of FUSE so it's not clear why you want it.
-- Jamie
next prev parent reply other threads:[~2005-04-11 18:23 UTC|newest]
Thread overview: 78+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-03-18 17:33 [PATCH] FUSE: fix busy inodes after unmount Miklos Szeredi
2005-03-20 16:15 ` fuse is cool and robust bert hubert
2005-03-20 21:55 ` Jan Engelhardt
2005-03-21 6:52 ` bert hubert
2005-03-20 23:12 ` Andrew Morton
[not found] ` <20050321073519.GA13879@outpost.ds9a.nl>
[not found] ` <20050323083347.GA1807@infradead.org>
[not found] ` <E1DE2D1-0005Ie-00@dorka.pomaz.szeredi.hu>
[not found] ` <20050325095838.GA9471@infradead.org>
[not found] ` <E1DEmYC-0008Qg-00@dorka.pomaz.szeredi.hu>
[not found] ` <20050331112427.GA15034@infradead.org>
[not found] ` <E1DH13O-000400-00@dorka.pomaz.szeredi.hu>
[not found] ` <20050331200502.GA24589@infradead.org>
[not found] ` <E1DJsH6-0004nv-00@dorka.pomaz.szeredi.hu>
[not found] ` <20050411114728.GA13128@infradead.org>
2005-04-11 14:43 ` [RFC] FUSE permission modell (Was: fuse review bits) Miklos Szeredi
2005-04-11 15:36 ` Daniel Jacobowitz
2005-04-11 15:56 ` Miklos Szeredi
2005-04-11 18:17 ` Daniel Jacobowitz
2005-04-11 19:10 ` Miklos Szeredi
2005-04-11 19:22 ` Daniel Jacobowitz
2005-04-11 19:56 ` Miklos Szeredi
2005-04-11 21:41 ` Jamie Lokier
2005-04-12 6:10 ` Miklos Szeredi
2005-04-12 14:33 ` Jamie Lokier
2005-04-12 15:13 ` Miklos Szeredi
2005-04-12 16:03 ` Miklos Szeredi
2005-04-12 15:16 ` Frank Sorenson
2005-04-12 15:56 ` Jamie Lokier
2005-04-17 17:45 ` Eric Van Hensbergen
2005-04-17 18:06 ` Jamie Lokier
2005-04-12 20:36 ` Anton Altaparmakov
2005-04-11 22:13 ` Daniel Jacobowitz
2005-04-12 6:27 ` Miklos Szeredi
2005-04-12 14:32 ` Jamie Lokier
2005-04-12 14:59 ` Miklos Szeredi
2005-04-12 16:13 ` Jamie Lokier
2005-04-12 16:37 ` Miklos Szeredi
2005-04-12 16:45 ` Jamie Lokier
2005-04-12 16:52 ` Miklos Szeredi
2005-04-12 17:14 ` Jamie Lokier
2005-04-12 19:10 ` Miklos Szeredi
2005-04-12 16:42 ` Jan Hudec
2005-04-11 19:43 ` Yaroslav Rastrigin
2005-04-12 8:06 ` Jan Hudec
2005-04-11 18:22 ` Jamie Lokier [this message]
2005-04-11 18:27 ` Daniel Jacobowitz
2005-04-11 19:38 ` Miklos Szeredi
2005-04-17 18:01 ` Eric Van Hensbergen
2005-04-17 18:45 ` Miklos Szeredi
2005-04-17 19:57 ` Eric Van Hensbergen
[not found] <3S8oM-So-11@gated-at.bofh.it>
[not found] ` <3S8oM-So-13@gated-at.bofh.it>
[not found] ` <3S8oN-So-15@gated-at.bofh.it>
[not found] ` <3S8oN-So-17@gated-at.bofh.it>
[not found] ` <3S8oN-So-19@gated-at.bofh.it>
[not found] ` <3S8oN-So-21@gated-at.bofh.it>
[not found] ` <3S8oN-So-23@gated-at.bofh.it>
[not found] ` <3S8oN-So-25@gated-at.bofh.it>
[not found] ` <3S8oN-So-27@gated-at.bofh.it>
[not found] ` <3S8oM-So-7@gated-at.bofh.it>
[not found] ` <3SbPN-3T4-19@gated-at.bofh.it>
2005-04-12 9:17 ` Bodo Eggert <harvested.in.lkml@posting.7eggert.dyndns.org>
2005-04-12 9:17 ` Bodo Eggert <harvested.in.lkml@posting.7eggert.dyndns.org>
2005-04-12 14:45 ` Jamie Lokier
2005-04-12 14:45 ` Jamie Lokier
2005-04-12 15:19 ` Miklos Szeredi
2005-04-12 16:04 ` Jamie Lokier
2005-04-12 16:31 ` Miklos Szeredi
2005-04-12 16:44 ` Jamie Lokier
2005-04-12 16:55 ` Miklos Szeredi
2005-04-12 17:13 ` Jamie Lokier
2005-04-12 19:08 ` Miklos Szeredi
2005-04-13 12:56 ` Jan Hudec
2005-04-13 15:08 ` Miklos Szeredi
2005-04-13 16:13 ` Jamie Lokier
2005-04-13 16:47 ` Miklos Szeredi
2005-04-13 16:57 ` Jamie Lokier
2005-04-13 15:58 ` Jamie Lokier
2005-04-12 20:19 ` Anton Altaparmakov
2005-04-12 21:52 ` Jamie Lokier
2005-04-13 9:14 ` Miklos Szeredi
2005-04-13 12:59 ` Jan Hudec
2005-04-13 17:02 ` Jamie Lokier
2005-04-13 17:29 ` Miklos Szeredi
2005-04-13 18:36 ` Jamie Lokier
2005-04-13 19:16 ` Miklos Szeredi
[not found] ` <3S9b7-1yl-1@gated-at.bofh.it>
[not found] ` <3S9uB-1Lj-3@gated-at.bofh.it>
[not found] ` <3SbG5-3Mb-41@gated-at.bofh.it>
[not found] ` <3ScC1-4zl-1@gated-at.bofh.it>
[not found] ` <3ScLO-4GA-9@gated-at.bofh.it>
[not found] ` <3SdeV-54h-21@gated-at.bofh.it>
[not found] ` <3SeXf-6BK-21@gated-at.bofh.it>
[not found] ` <E1DLKOd-0001Nd-MG@be1.7eggert.dyndns.org>
2005-04-12 14:37 ` Jamie Lokier
2005-04-12 19:51 ` Bodo Eggert
[not found] ` <3UmnD-6Fy-7@gated-at.bofh.it>
2005-04-17 23:52 ` Bodo Eggert <harvested.in.lkml@posting.7eggert.dyndns.org>
2005-04-19 11:57 ` Eric Van Hensbergen
2005-04-19 15:01 ` Bodo Eggert
2005-04-19 15:21 ` Miklos Szeredi
2005-04-19 15:26 ` Eric Van Hensbergen
2005-04-19 16:02 ` Bodo Eggert
2005-04-19 19:29 ` Eric Van Hensbergen
2005-04-20 3:59 ` Mike Waychison
2005-04-20 7:09 ` Miklos Szeredi
[not found] <3UrQt-2Js-3@gated-at.bofh.it>
[not found] ` <3SpIW-6UA-17@gated-at.bofh.it>
[not found] ` <3SpIW-6UA-19@gated-at.bofh.it>
[not found] ` <3SpIW-6UA-21@gated-at.bofh.it>
[not found] ` <3UrQt-2Js-5@gated-at.bofh.it>
[not found] ` <3UrQt-2Js-1@gated-at.bofh.it>
[not found] ` <3UZyS-55i-39@gated-at.bofh.it>
[not found] ` <3V2wG-7HR-19@gated-at.bofh.it>
[not found] ` <3V2PX-7Vh-23@gated-at.bofh.it>
[not found] ` <3V6Ae-2Ce-17@gated-at.bofh.it>
[not found] ` <3V6JW-2K9-49@gated-at.bofh.it>
[not found] ` <3VeHl-NF-3@gated-at.bofh.it>
2005-04-20 19:52 ` Bodo Eggert <harvested.in.lkml@posting.7eggert.dyndns.org>
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050411182257.GC32535@mail.shareable.org \
--to=jamie@shareable.org \
--cc=akpm@osdl.org \
--cc=hch@infradead.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=viro@parcelfarce.linux.theplanet.co.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.