From: Frank van Maarseveen <frankvm@frankvm.com>
To: Miklos Szeredi <miklos@szeredi.hu>
Cc: frankvm@frankvm.com, akpm@osdl.org, aia21@cam.ac.uk,
arjan@infradead.org, linux-kernel@vger.kernel.org
Subject: Re: FUSE merging?
Date: Fri, 1 Jul 2005 15:05:10 +0200 [thread overview]
Message-ID: <20050701130510.GA5805@janus> (raw)
In-Reply-To: <E1DoKko-0002ml-00@dorka.pomaz.szeredi.hu>
On Fri, Jul 01, 2005 at 02:36:22PM +0200, Miklos Szeredi wrote:
> > > You mean suid programs are never to touch paths passed to them?
> >
> > never when euid==root.
> > The pathname could even point into /proc or anything else yet unknown,
> > e.g. by putting some symlinks at the right places. The mere act of
> > opening the file as root could have unwanted side effects already.
>
> OK, open is out. However other operations (stat, unlink, chmod etc)
> are always without side effects on "normal" filesystems. However on
> FUSE they are very much unsafe (can block, not do what was instructed
> and return success, etc).
What about tricking a setuid program to stat into /auto (/mnt/auto,
/misc, whatever it is called)? then the automounter will act upon a root
request with again possibly unwanted side effects. See how careful a
setuid/full-root program must be in handling userdata including pathnames?
FUSE suddenly makes this more obvious but it is not new.
> > > > - /proc isn't a problem: most root processes tend to avoid it because
> > > > it is synthetic and thus uninteresting. Maybe we should extend
> > > > the idea of "synthetic file-systems being uninteresting" to any
> > > > process which cannot receive signals from the FUSE mount owner. When
> > > > one cannot hide data by a FUSE mount and its synthetic anyway so not
> > > > interesting then just show the original empty mount point.
> > >
> > > Been there. People (like Al Viro) didn't like it.
> >
> > including changing the ptraceability test by a signal test and including
> > the (IMHO) required emptyness of the mount stub?
>
> It's been thrown out for the reason, that it's unacceptable if suid
> programs see a different namespace as non-suid.
You mean root versus non-root. or user versus other user I assume. Because
the euid (fsuid) is what matters.
But then: this _is_ already the case for NFS when squash_root is in effect
(what about kerberos et.al?). So there are several reasons to consider
FUSE a nonlocal fs instead of a local one so nothing new there. FUSE could
be used to implement a usable (not perfect) userspace NFS/ftp client.
To require an empty stub to mount FUSE upon makes the whole picture
cleaner: users are only able to extend the namespace _leaf_ nodes for
themselves and processes they can send signals to: setuid programs
which do not fully become root. The existing namespace [nodes] remains
unchanged for everyone.
--
Frank
next prev parent reply other threads:[~2005-07-01 13:05 UTC|newest]
Thread overview: 85+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-06-30 9:19 FUSE merging? Miklos Szeredi
2005-06-30 9:27 ` Andrew Morton
2005-06-30 9:51 ` Miklos Szeredi
2005-06-30 10:00 ` Arjan van de Ven
2005-06-30 10:12 ` Miklos Szeredi
2005-06-30 10:20 ` Arjan van de Ven
2005-06-30 10:24 ` Miklos Szeredi
2005-06-30 19:39 ` Avuton Olrich
2005-07-01 6:23 ` Miklos Szeredi
2005-06-30 11:13 ` Anton Altaparmakov
2005-06-30 19:46 ` Andrew Morton
2005-06-30 20:00 ` Andrew Morton
2005-07-01 6:40 ` Miklos Szeredi
2005-06-30 22:28 ` Frank van Maarseveen
2005-07-01 6:58 ` Miklos Szeredi
2005-07-01 9:24 ` Frank van Maarseveen
2005-07-01 10:27 ` Miklos Szeredi
2005-07-01 12:00 ` Frank van Maarseveen
2005-07-01 12:36 ` Miklos Szeredi
2005-07-01 13:05 ` Frank van Maarseveen [this message]
2005-07-01 13:21 ` Miklos Szeredi
2005-07-01 15:20 ` Frank van Maarseveen
2005-07-01 17:04 ` Miklos Szeredi
2005-07-01 18:04 ` Frank van Maarseveen
2005-07-01 19:35 ` Jeremy Maitin-Shepard
2005-07-02 14:49 ` Miklos Szeredi
2005-07-02 16:00 ` Frank van Maarseveen
2005-07-03 6:16 ` Miklos Szeredi
2005-07-03 11:25 ` Frank van Maarseveen
2005-07-03 13:24 ` Miklos Szeredi
2005-07-03 13:50 ` Frank van Maarseveen
2005-07-03 14:03 ` Miklos Szeredi
2005-07-03 14:10 ` FUSE merging? (2) Frank van Maarseveen
2005-07-03 15:47 ` Miklos Szeredi
2005-07-03 19:36 ` Frank van Maarseveen
2005-07-04 8:56 ` Miklos Szeredi
2005-07-04 9:59 ` Frank van Maarseveen
2005-07-04 10:27 ` Miklos Szeredi
2005-07-04 11:26 ` Frank van Maarseveen
2005-07-01 6:36 ` FUSE merging? Miklos Szeredi
2005-07-01 6:50 ` Andrew Morton
2005-07-01 7:07 ` Miklos Szeredi
2005-07-01 7:14 ` Andrew Morton
2005-07-01 7:27 ` Miles Bader
2005-07-01 7:38 ` Miklos Szeredi
2005-07-01 8:02 ` Andrew Morton
2005-07-01 10:11 ` Miklos Szeredi
2005-07-01 11:29 ` Andrew Morton
2005-07-01 12:00 ` Miklos Szeredi
2005-07-01 12:53 ` Anton Altaparmakov
2005-07-01 13:07 ` Anton Altaparmakov
2005-07-01 13:51 ` Frank van Maarseveen
2005-07-01 13:29 ` Eric Van Hensbergen
2005-07-01 16:45 ` Matthias Urlichs
2005-07-01 12:08 ` Frank van Maarseveen
2005-07-01 13:21 ` Eric Van Hensbergen
2005-07-01 13:53 ` Miklos Szeredi
2005-07-01 14:18 ` Eric Van Hensbergen
2005-07-01 14:31 ` Miklos Szeredi
2005-07-02 10:01 ` Eric W. Biederman
2005-07-02 14:58 ` Miklos Szeredi
2005-07-02 16:43 ` Eric Van Hensbergen
2005-07-02 17:33 ` Eric W. Biederman
2005-07-03 19:39 ` Pavel Machek
2005-07-04 8:38 ` Miklos Szeredi
[not found] ` <20050704084900.GG15370@elf.ucw.cz>
2005-07-04 9:02 ` Miklos Szeredi
2005-07-04 10:46 ` Pekka Enberg
2005-07-01 12:37 ` bert hubert
2005-07-01 7:46 ` Frederik Deweerdt
2005-07-01 9:47 ` Miklos Szeredi
2005-07-01 9:36 ` Frank van Maarseveen
2005-07-01 10:45 ` Miklos Szeredi
2005-07-01 11:34 ` Frank van Maarseveen
2005-06-30 10:16 ` Miklos Szeredi
2005-06-30 16:30 ` Pavel Machek
-- strict thread matches above, loose matches on Subject: below --
2005-09-02 22:02 Miklos Szeredi
2005-09-02 22:34 ` Andrew Morton
2005-09-03 0:34 ` Kasper Sandberg
2005-09-03 5:31 ` Miklos Szeredi
2005-09-03 6:40 ` Andrew Morton
2005-09-03 7:23 ` Miklos Szeredi
2005-09-03 13:29 ` Eric Van Hensbergen
2005-09-03 14:20 ` Miklos Szeredi
2005-09-03 15:01 ` Eric Van Hensbergen
2005-09-03 15:38 ` Miklos Szeredi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050701130510.GA5805@janus \
--to=frankvm@frankvm.com \
--cc=aia21@cam.ac.uk \
--cc=akpm@osdl.org \
--cc=arjan@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=miklos@szeredi.hu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.