From: Jamie Lokier <jamie@shareable.org>
To: Miklos Szeredi <miklos@szeredi.hu>
Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
hch@infradead.org, akpm@osdl.org,
viro@parcelfarce.linux.theplanet.co.uk
Subject: Re: [RFC] FUSE permission modell (Was: fuse review bits)
Date: Mon, 11 Apr 2005 19:22:57 +0100 [thread overview]
Message-ID: <20050411182257.GC32535@mail.shareable.org> (raw)
In-Reply-To: <E1DL08S-0008UH-00@dorka.pomaz.szeredi.hu>
Miklos Szeredi wrote:
> 1) User must not be able to modify files or directories in a way
> which he otherwise could not do (e.g. mount a filesystem over
> /bin)
>
> 2) Suid and device semantics should be disabled within the mount
>
> 3) No other user should have access to files under the mount, not
> even root[5]
Why? I can see plenty of uses where I want a filesystem generated by
one user to be accessible by other users. That policy should not be
hard-coded into the kernel. It might be an option.
> 4) Access should not be further restricted for the owner of the
> mount, even if permission bits, uid or gid would suggest
> otherwise
Why? Surely you want to prevent writing to files which don't have the
writable bit set? A filesystem may also create append-only files -
and all users including the mount owner should be bound by that.
> 5) As much of the available information should be exported via the
> filesystem as possible
This is the root of the conflict. You are trying to overload the
permission bits and uid/gid to mean something different than they
normally do.
While it's convenient to see some "remote" information such as the
uid/gid in a tar file, are you sure it's a good idea to break the unix
permissions model - which will break some programs? (For example, try
editing a file with the broken semantics in an editor which checks the
uid/gid of the file against the current user).
For most virtual filesystems, the "remote" information does not map to
uid/gid in a particularly natural way anyway. So it seems odd to want
to break the unix permissions model just so that a small _subset_ of
virtual filesystems can use stat() as a way to get a bit of
information out, when other virtual filesystems (e.g. webdavfs) can't
put meaningful information in there, and would benefit from normal
unix permissions instead.
> 1) Only allow mount over a directory for which the user has write
> access (and is not sticky)
Seems good - but why not sticky? Mounting a user filesystem in
/tmp/user-xxx/my-mount-point seems not unreasonable - provided the
administrator can delete the directory (which is possible with
detachable mount points).
> 2) Use nosuid,nodev mount options
Of course. Ideally, make sure they appear to be set in /proc/mounts.
(root (or equivalent) should be able to create virtual filesystems
without these options, but probably they should be set by default even
for root, and clearable using suid,dev).
> 3) In permission method of FUSE kernel module compare fsuid against
> mounting user's ID, and return EACCES if they are not equal.
Bad. How do I, user A, then create a virtual filesystem which I want
user B to be able to access?
> 4) The filesystem daemon does not run with elevated permissions.
> The kernel doesn't check file more in the permission method.
I like the idea that the fs daemon doesn't need elevated permissions.
> 5) The filesystem daemon is free to fill in all file attributes to
> any (sane) value, and the kernel won't modify these.
Dangerous, because an administrative program might actually trust the
attributes to mean what they normally mean in the unix permissions model.
> The debated part is 3) and 4), namely that normal permission checking
> based on file mode is bypassed, and the mounting user has full
> permission to all files, while other users have none.
>
> This feature has been in FUSE from the start and thus has been very
> well tested in real world scenarios. Also I have thought a lot about
> how this could pose any kind of security threat, and as yet found no
> such possiblity.
Ok, but why do you prevent the useful behaviour of allowing access to
other users, when I want that? For example, I might export my current
project's database as a filesystem that I _want_ other users to be
able to read.
> Despite this Christoph feels this behavior is unacceptable for a
> filesystem, and wants me to remove this feature before merging FUSE
> into mainline. I try to be open to ideas, but also feel strongly that
> this is the Right Way, so I won't give up easily.
I agree with Christoph. It is a huge deviation from the unix
permissions model -- and it seems to prevent some useful applications
of FUSE so it's not clear why you want it.
-- Jamie
next prev parent reply other threads:[~2005-04-11 18:23 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20050320151212.4f9c8f32.akpm@osdl.org>
[not found] ` <20050321073519.GA13879@outpost.ds9a.nl>
[not found] ` <20050323083347.GA1807@infradead.org>
[not found] ` <E1DE2D1-0005Ie-00@dorka.pomaz.szeredi.hu>
[not found] ` <20050325095838.GA9471@infradead.org>
[not found] ` <E1DEmYC-0008Qg-00@dorka.pomaz.szeredi.hu>
[not found] ` <20050331112427.GA15034@infradead.org>
[not found] ` <E1DH13O-000400-00@dorka.pomaz.szeredi.hu>
[not found] ` <20050331200502.GA24589@infradead.org>
[not found] ` <E1DJsH6-0004nv-00@dorka.pomaz.szeredi.hu>
[not found] ` <20050411114728.GA13128@infradead.org>
2005-04-11 14:43 ` [RFC] FUSE permission modell (Was: fuse review bits) Miklos Szeredi
2005-04-11 15:36 ` Daniel Jacobowitz
2005-04-11 15:56 ` Miklos Szeredi
2005-04-11 18:17 ` Daniel Jacobowitz
2005-04-11 19:10 ` Miklos Szeredi
2005-04-11 19:22 ` Daniel Jacobowitz
2005-04-11 19:56 ` Miklos Szeredi
2005-04-11 21:41 ` Jamie Lokier
2005-04-12 6:10 ` Miklos Szeredi
2005-04-12 14:33 ` Jamie Lokier
2005-04-12 15:13 ` Miklos Szeredi
2005-04-12 16:03 ` Miklos Szeredi
2005-04-12 15:16 ` Frank Sorenson
2005-04-12 15:56 ` Jamie Lokier
2005-04-17 17:45 ` Eric Van Hensbergen
2005-04-17 18:06 ` Jamie Lokier
2005-04-12 20:36 ` Anton Altaparmakov
2005-04-11 22:13 ` Daniel Jacobowitz
2005-04-12 6:27 ` Miklos Szeredi
2005-04-12 14:32 ` Jamie Lokier
2005-04-12 14:59 ` Miklos Szeredi
2005-04-12 16:13 ` Jamie Lokier
2005-04-12 16:37 ` Miklos Szeredi
2005-04-12 16:45 ` Jamie Lokier
2005-04-12 16:52 ` Miklos Szeredi
2005-04-12 17:14 ` Jamie Lokier
2005-04-12 19:10 ` Miklos Szeredi
2005-04-12 16:42 ` Jan Hudec
2005-04-12 8:06 ` Jan Hudec
2005-04-11 18:22 ` Jamie Lokier [this message]
2005-04-11 18:27 ` Daniel Jacobowitz
2005-04-11 19:38 ` Miklos Szeredi
2005-04-17 18:01 ` Eric Van Hensbergen
2005-04-17 18:45 ` Miklos Szeredi
2005-04-17 19:57 ` Eric Van Hensbergen
[not found] <3S8oM-So-11@gated-at.bofh.it>
[not found] ` <3S8oM-So-13@gated-at.bofh.it>
[not found] ` <3S8oN-So-15@gated-at.bofh.it>
[not found] ` <3S8oN-So-17@gated-at.bofh.it>
[not found] ` <3S8oN-So-19@gated-at.bofh.it>
[not found] ` <3S8oN-So-21@gated-at.bofh.it>
[not found] ` <3S8oN-So-23@gated-at.bofh.it>
[not found] ` <3S8oN-So-25@gated-at.bofh.it>
[not found] ` <3S8oN-So-27@gated-at.bofh.it>
[not found] ` <3S8oM-So-7@gated-at.bofh.it>
[not found] ` <3SbPN-3T4-19@gated-at.bofh.it>
2005-04-12 9:17 ` Bodo Eggert <harvested.in.lkml@posting.7eggert.dyndns.org>
2005-04-12 14:45 ` Jamie Lokier
2005-04-12 15:19 ` Miklos Szeredi
2005-04-12 16:04 ` Jamie Lokier
2005-04-12 16:31 ` Miklos Szeredi
2005-04-12 16:44 ` Jamie Lokier
2005-04-12 16:55 ` Miklos Szeredi
2005-04-12 17:13 ` Jamie Lokier
2005-04-12 19:08 ` Miklos Szeredi
2005-04-13 12:56 ` Jan Hudec
2005-04-13 15:08 ` Miklos Szeredi
2005-04-13 16:13 ` Jamie Lokier
2005-04-13 16:47 ` Miklos Szeredi
2005-04-13 16:57 ` Jamie Lokier
2005-04-13 15:58 ` Jamie Lokier
2005-04-12 20:19 ` Anton Altaparmakov
2005-04-12 21:52 ` Jamie Lokier
2005-04-13 9:14 ` Miklos Szeredi
2005-04-13 12:59 ` Jan Hudec
2005-04-13 17:02 ` Jamie Lokier
2005-04-13 17:29 ` Miklos Szeredi
2005-04-13 18:36 ` Jamie Lokier
2005-04-13 19:16 ` Miklos Szeredi
[not found] ` <3S9b7-1yl-1@gated-at.bofh.it>
[not found] ` <3S9uB-1Lj-3@gated-at.bofh.it>
[not found] ` <3SbG5-3Mb-41@gated-at.bofh.it>
[not found] ` <3ScC1-4zl-1@gated-at.bofh.it>
[not found] ` <3ScLO-4GA-9@gated-at.bofh.it>
[not found] ` <3SdeV-54h-21@gated-at.bofh.it>
[not found] ` <3SeXf-6BK-21@gated-at.bofh.it>
[not found] ` <E1DLKOd-0001Nd-MG@be1.7eggert.dyndns.org>
2005-04-12 14:37 ` Jamie Lokier
2005-04-12 19:51 ` Bodo Eggert
[not found] ` <3UmnD-6Fy-7@gated-at.bofh.it>
2005-04-17 23:52 ` Bodo Eggert <harvested.in.lkml@posting.7eggert.dyndns.org>
2005-04-19 11:57 ` Eric Van Hensbergen
2005-04-19 15:01 ` Bodo Eggert
2005-04-19 15:21 ` Miklos Szeredi
2005-04-19 15:26 ` Eric Van Hensbergen
2005-04-19 16:02 ` Bodo Eggert
2005-04-19 19:29 ` Eric Van Hensbergen
2005-04-20 3:59 ` Mike Waychison
2005-04-20 7:09 ` Miklos Szeredi
[not found] <3UrQt-2Js-3@gated-at.bofh.it>
[not found] ` <3SpIW-6UA-17@gated-at.bofh.it>
[not found] ` <3SpIW-6UA-19@gated-at.bofh.it>
[not found] ` <3SpIW-6UA-21@gated-at.bofh.it>
[not found] ` <3UrQt-2Js-5@gated-at.bofh.it>
[not found] ` <3UrQt-2Js-1@gated-at.bofh.it>
[not found] ` <3UZyS-55i-39@gated-at.bofh.it>
[not found] ` <3V2wG-7HR-19@gated-at.bofh.it>
[not found] ` <3V2PX-7Vh-23@gated-at.bofh.it>
[not found] ` <3V6Ae-2Ce-17@gated-at.bofh.it>
[not found] ` <3V6JW-2K9-49@gated-at.bofh.it>
[not found] ` <3VeHl-NF-3@gated-at.bofh.it>
2005-04-20 19:52 ` Bodo Eggert <harvested.in.lkml@posting.7eggert.dyndns.org>
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050411182257.GC32535@mail.shareable.org \
--to=jamie@shareable.org \
--cc=akpm@osdl.org \
--cc=hch@infradead.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=viro@parcelfarce.linux.theplanet.co.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).