From: "U.Mutlu" <for-gmane@mutluit.com>
To: linux-ext4@vger.kernel.org
Subject: Re: generic question: user-only directory w/o root access
Date: Mon, 1 Jun 2015 01:14:23 +0200 [thread overview]
Message-ID: <mkg4kf$429$1@ger.gmane.org> (raw)
In-Reply-To: <mkg2u2$ckm$1@ger.gmane.org>
U.Mutlu wrote on 06/01/2015 12:45 AM:
> Theodore Ts'o wrote on 05/31/2015 08:59 PM:
>> On Sun, May 31, 2015 at 06:07:38PM +0200, U.Mutlu wrote:
>>> how can a non-root user have a directory of his own, without any root access?
>>> Is this somehow possible, or will it be made possible with the new ext4
>>> (ext5?)?
>>
>> You're not going a lot of details about exactly what the use case you
>> have in mind; are you talking about a non-root user creating a file
>> system which then gets mounted somwhere? In practice you still need
>> root to do the mount, or at the very least to set up the /etc/fstab to
>> allow a non-root user to mount a file system at a particular mount
>> point.
>>
>> If it's the latter which you are envisioning, then the root_owner
>> extended option to mke2fs(8) may be what you're looking for.
>>
>> If it isn't please go into a much greater detail about what exactly it
>> is you are trying to do, and why.
>
> A private directory (or private mountpoint) for the user only
> (or for an application running under that 'user'-account).
>
> The rationale behind this is: there are many system programs,
> and other programs running with root rights. The user cannot know
> them all and so cannot trust them. This includes also admins and the root user
> itself.
>
> The idea is to have a truly private directory or a private mountpoint
> where by default nobody else has access to it, incl. root,
> unless the owner grants access to others.
>
> Ideal would be if the content therein were encrypted, as is planned
> for the upcoming new ext4-version.
>
> With such a mechanism high-security applications could be realisied.
>
> It seems with FUSE this is possible, but I have yet to find an encrypted
> filesystem that gives the above mentioned security. Truecrypt does not give
> that security as it itself needs and operates with root rights.
> I don't understand what the TC-programmers have done, because they seem not
> to have understood what FUSE is and can. They wrote their own cr*p around it
> instead of using the FUSE-interface, thereby totally _eliminating_ the good
> security mechanism FUSE offers by default.
>
> So, my wish is to mount an encrypted virtual HD to a mountpoint,
> and nobody else shall have access to it, especially not root or
> any program with root rights.
>
> Does anybody know of such an open-source solution for Linux?
>
Here's a sample FUSE source code (user-land) which demonstrates the above said
security scheme:
/* hello.c
FUSE: Filesystem in Userspace
Copyright (C) 2001-2007 Miklos Szeredi <miklos@szeredi.hu>
This program can be distributed under the terms of the GNU GPL.
See the file COPYING.
Note by U.Mutlu:
this is a sample (hello.c) from the FUSE source distribution
I modified it with my test code.
Compile:
gcc -Wall -o hello hello.c `pkg-config fuse --cflags --libs`
Mounting as user:
compile, s.a.
$ mkdir mnt
$ ./hello mnt
$ ls -l mnt
root trying to access the mountpoint:
in a second window try to access the mountpoint as root --> it will deny
access to root, which is good:
# ls -l
...
d????????? ? ? ? ? ? mnt
...
# ls -l mnt
ls: cannot access mnt: Permission denied
Unmounting:
$ fusermount -u ./mnt
*/
#define FUSE_USE_VERSION 26
#include <fuse.h>
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <fcntl.h>
static const char* hello_str = "Hello World!\n";
static const char* hello_path = "/hello.txt";
static const char* uenal_str = "hi there\n";
static const char* uenal_path = "/uenal.txt";
static int hello_getattr(const char *path, struct stat *stbuf)
{
memset(stbuf, 0, sizeof(struct stat));
if (strcmp(path, "/") == 0)
{
stbuf->st_mode = S_IFDIR | 0755;
stbuf->st_nlink = 2;
return 0;
}
if (strcmp(path, hello_path) == 0)
{
stbuf->st_mode = S_IFREG | 0444;
stbuf->st_nlink = 1;
stbuf->st_size = strlen(hello_str);
return 0;
}
if (strcmp(path, uenal_path) == 0)
{
stbuf->st_mode = S_IFREG | 0444;
stbuf->st_nlink = 1;
stbuf->st_size = strlen(uenal_str);
return 0;
}
return -ENOENT;
}
static int hello_readdir(const char *path, void *buf, fuse_fill_dir_t filler,
off_t offset, struct fuse_file_info *fi)
{
(void) offset;
(void) fi;
if (strcmp(path, "/") != 0) return -ENOENT;
filler(buf, ".", NULL, 0);
filler(buf, "..", NULL, 0);
filler(buf, hello_path + 1, NULL, 0); // +1 um '/' zu skippen,
s.o.; ...
filler(buf, uenal_path + 1, NULL, 0);
return 0;
}
static int hello_open(const char *path, struct fuse_file_info *fi)
{
// if (strcmp(path, hello_path) != 0) return -ENOENT;
if ((fi->flags & 3) != O_RDONLY) return -EACCES;
return 0;
}
static int hello_read(const char *path, char *buf, size_t size, off_t offset,
struct fuse_file_info *fi)
{
(void) fi;
if (strcmp(path, hello_path) == 0)
{
const size_t len = strlen(hello_str);
if (offset < len)
{
if ((offset + size) > len) size = len - offset;
memcpy(buf, hello_str + offset, size);
}
else
size = 0;
return size;
}
if (strcmp(path, uenal_path) == 0)
{
const size_t len = strlen(uenal_str);
if (offset < len)
{
if ((offset + size) > len) size = len - offset;
memcpy(buf, uenal_str + offset, size);
}
else
size = 0;
return size;
}
return -ENOENT;
}
static struct fuse_operations hello_oper =
{
.getattr = hello_getattr,
.readdir = hello_readdir,
.open = hello_open,
.read = hello_read,
};
int main(int argc, char *argv[])
{
return fuse_main(argc, argv, &hello_oper, NULL);
}
next prev parent reply other threads:[~2015-05-31 23:14 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-31 16:07 generic question: user-only directory w/o root access U.Mutlu
2015-05-31 18:59 ` Theodore Ts'o
2015-05-31 22:45 ` U.Mutlu
2015-05-31 23:14 ` U.Mutlu [this message]
2015-06-01 1:39 ` Linux unshare -m for per-process private filesystem mount points U.Mutlu
2015-06-04 1:44 ` generic question: user-only directory w/o root access Theodore Ts'o
2015-06-04 11:29 ` Lukáš Czerner
2015-06-04 13:24 ` U.Mutlu
2015-06-05 14:14 ` Theodore Ts'o
2015-06-05 19:24 ` U.Mutlu
2015-06-06 0:33 ` Theodore Ts'o
2015-06-06 7:19 ` U.Mutlu
2015-06-06 15:42 ` Theodore Ts'o
2015-06-06 17:46 ` U.Mutlu
2015-06-06 19:48 ` Theodore Ts'o
2015-06-08 0:12 ` U.Mutlu
2015-06-08 3:18 ` Theodore Ts'o
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='mkg4kf$429$1@ger.gmane.org' \
--to=for-gmane@mutluit.com \
--cc=linux-ext4@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).