From: "Darrick J. Wong" <djwong@kernel.org>
To: bschubert@ddn.com
Cc: miklos@szeredi.hu, neal@gompa.dev, linux-fsdevel@vger.kernel.org,
bernd@bsbernd.com, joannelkoong@gmail.com
Subject: Re: [PATCH 08/13] mount_service: enable unprivileged users in the same manner as fusermount
Date: Fri, 17 Apr 2026 15:01:27 -0700 [thread overview]
Message-ID: <20260417220127.GE7727@frogsfrogsfrogs> (raw)
In-Reply-To: <20260414235349.GE604658@frogsfrogsfrogs>
On Tue, Apr 14, 2026 at 04:53:49PM -0700, Darrick J. Wong wrote:
> On Thu, Apr 09, 2026 at 03:22:38PM -0700, Darrick J. Wong wrote:
> > From: Darrick J. Wong <djwong@kernel.org>
> >
> > Some Linux distributions allow unprivileged users to mount fuse
> > filesystems through the use of the setuid fusermount helper program. It
> > would be useful to provide similar functionality when mounting a
> > filesystem that runs as a systemd service.
> >
> > Therefore, read the fuse config file and implement the same checks as
> > fusermount.
> >
> > Signed-off-by: "Darrick J. Wong" <djwong@kernel.org>
> > ---
> > util/mount_service.c | 150 +++++++++++++++++++++++++++++++++++++++++++++++++-
> > 1 file changed, 147 insertions(+), 3 deletions(-)
> >
> >
> > diff --git a/util/mount_service.c b/util/mount_service.c
> > index 8e9c721a56fd2a..0f7eae94ada377 100644
> > --- a/util/mount_service.c
> > +++ b/util/mount_service.c
> > @@ -33,6 +33,7 @@
> > #include "fuse_i.h"
> > #include "fuse_service_priv.h"
> > #include "mount_service.h"
> > +#include "fuser_conf.h"
> >
> > struct mount_service {
> > /* prefix for printing error messages */
> > @@ -166,7 +167,9 @@ static int mount_service_connect(struct mount_service *mo)
> > return -1;
> > }
> >
> > + drop_privs();
> > ret = connect(sockfd, (const struct sockaddr *)&name, sizeof(name));
> > + restore_privs();
> > if (ret && (errno == ENOENT || errno == ECONNREFUSED)) {
Oops, here I missed that the syscalls under restore_privs() could fail,
thereby blowing away errno. This should of course be:
drop_privs();
ret = connect(...);
if (ret && (errno == ENOENT || errno == ECONNREFUSED)) {
restore_privs();
/* rest of error stuff */
}
> > fprintf(stderr, "%s: no safe filesystem driver for %s available.\n",
> > mo->msgtag, mo->subtype);
> > @@ -208,7 +211,7 @@ static int mount_service_send_hello(struct mount_service *mo)
> > };
> > ssize_t size;
> >
> > - if (getuid() == 0)
> > + if (getuid() == 0 || user_allow_other)
> > hello.flags |= htonl(FUSE_SERVICE_FLAG_ALLOW_OTHER);
> >
> > size = sendmsg(mo->sockfd, &msg, MSG_EOR | MSG_NOSIGNAL);
> > @@ -490,7 +493,9 @@ static int mount_service_send_required_files(struct mount_service *mo,
> > {
> > int ret;
> >
> > + drop_privs();
> > mo->fusedevfd = open(fusedev, O_RDWR | O_CLOEXEC);
> > + restore_privs();
Here too.
> > if (mo->fusedevfd < 0) {
> > fprintf(stderr, "%s: %s: %s\n",
> > mo->msgtag, fusedev, strerror(errno));
> > @@ -628,7 +633,9 @@ static int prepare_bdev(struct mount_service *mo,
> > if (oc->block_size) {
> > int block_size = ntohl(oc->block_size);
> >
> > + drop_privs();
> > ret = ioctl(fd, BLKBSZSET, &block_size);
> > + restore_privs();
> > if (ret) {
> > int error = errno;
> >
> > @@ -675,7 +682,9 @@ static int mount_service_open_path(struct mount_service *mo,
> > return mount_service_send_file_error(mo, EINVAL, oc->path);
> > }
> >
> > - fd = open(oc->path, ntohl(oc->open_flags), ntohl(oc->create_mode));
> > + drop_privs();
> > + fd = open(oc->path, ntohl(oc->open_flags) | O_CLOEXEC, ntohl(oc->create_mode));
> > + restore_privs();
And here.
> > if (fd < 0) {
> > int error = errno;
> >
> > @@ -908,6 +917,20 @@ static int mount_service_handle_mntopts_cmd(struct mount_service *mo,
mount_service_handle_mntopts_cmd and mount_service_handle_source_cmd
ought only to set mo->mntopts and mo->source at the very end, if
everything that before it succeeded.
> > *equals = 0;
> > }
> >
> > + if (getuid() != 0 && !user_allow_other &&
> > + (!strcmp(tok, "allow_other") ||
> > + !strcmp(tok, "allow_root"))) {
> > + fprintf(stderr,
> > +"%s: option %s only allowed if 'user_allow_other' is set in %s\n",
> > + mo->msgtag, tok, FUSE_CONF);
> > + return mount_service_send_reply(mo, EPERM);
> > + }
> > + if (!strcmp(tok, "blkdev") && getuid() != 0) {
>
> blkdev is an internal mount option that libfuse never sends to the
> kernel, so there's no need to check it here either. Sending "blkdev" to
> the kernel will just cause mount() EINVAL failures.
>
>
> > + fprintf(stderr, "%s: option blkdev is privileged\n",
> > + mo->msgtag);
> > + return mount_service_send_reply(mo, EPERM);
> > + }
> > +
> > #ifdef HAVE_NEW_MOUNT_API
> > if (mo->fsopenfd >= 0) {
> > int ret;
> > @@ -985,10 +1008,16 @@ static int attach_to_mountpoint(struct mount_service *mo, char *mntpt)
> > int error;
> > int ret;
> >
> > + drop_privs();
> > +
> > /*
> > * Open the alleged mountpoint, make sure it's a dir or a file.
> > + * For unprivileged callers, we only allow mounting on paths that the
> > + * user can write to.
> > */
> > - mountfd = open(mntpt, O_RDONLY | O_CLOEXEC);
> > + mountfd = open(mntpt, (getuid() == 0 ? O_RDONLY : O_WRONLY) | O_CLOEXEC);
> > + if (mountfd < 0 && errno == EISDIR)
> > + mountfd = open(mntpt, O_RDONLY | O_CLOEXEC);
>
> This mess!
>
> This might add a new requirement that the unprivileged caller has to
> have read access to the mountpoint. This isn't explicitly checked in
> fusermount, but I'm pretty sure that the lstat in fusermount will fail
> with EACCESS.
>
> That said, if we're unprivileged and fall back to opening readonly, then
> we should require that the fd point to a directory. Note that the
> access check just prior to mount()/fsmount() will confirm that the
> unprivileged caller could (at least in theory) create a new child entry.
>
> --D
>
> > if (mountfd < 0) {
> > error = errno;
> > fprintf(stderr, "%s: %s: %s\n", mo->msgtag, mntpt,
> > @@ -1067,6 +1096,7 @@ static int attach_to_mountpoint(struct mount_service *mo, char *mntpt)
> > mo->mountfd = mountfd;
> > mo->resv_mountpoint = res_mntpt;
> >
> > + restore_privs();
> > return mount_service_send_reply(mo, 0);
> >
> > out_res_mntpt:
> > @@ -1075,6 +1105,7 @@ static int attach_to_mountpoint(struct mount_service *mo, char *mntpt)
> > close(mountfd);
> > out_error:
> > free(mntpt);
> > + restore_privs();
> > return mount_service_send_reply(mo, error);
> > }
> >
> > @@ -1399,6 +1430,77 @@ static int mount_service_fsopen_mount(struct mount_service *mo,
> > # define mount_service_fsopen_mount(...) (FUSE_MOUNT_FALLBACK_NEEDED)
> > #endif
> >
> > +static int check_nonroot_file_access(struct mount_service *mo)
> > +{
> > + struct stat sb1, sb2;
> > + int fd;
> > + int ret;
> > +
> > + /*
> > + * If we already succeeded in opening the file with write access, then
> > + * we're good.
> > + */
> > + ret = fcntl(mo->mountfd, F_GETFL);
> > + if (ret < 0) {
> > + int error = errno;
> > +
> > + fprintf(stderr, "%s: %s: %s\n", mo->msgtag, mo->mountpoint,
> > + strerror(error));
> > + return -1;
> > + }
> > +
> > + if ((ret & O_ACCMODE) != O_RDONLY)
> > + return 0;
> > +
> > + ret = fstat(mo->mountfd, &sb1);
> > + if (ret) {
> > + int error = errno;
> > +
> > + fprintf(stderr, "%s: %s: %s\n",
> > + mo->msgtag, mo->mountpoint, strerror(error));
> > + return -1;
> > + }
> > +
> > + /* Try to reopen the file with write access this time. */
> > + fd = open(mo->real_mountpoint, O_WRONLY | O_CLOEXEC);
> > + if (fd < 0) {
> > + int error = errno;
> > +
> > + fprintf(stderr, "%s: %s: %s\n",
> > + mo->msgtag, mo->mountpoint, strerror(error));
> > + return -1;
> > + }
> > +
> > + /* Is this the same file? */
> > + ret = fstat(fd, &sb2);
> > + if (ret) {
> > + int error = errno;
> > +
> > + fprintf(stderr, "%s: %s: %s\n",
> > + mo->msgtag, mo->mountpoint, strerror(error));
> > + goto out_fd;
> > + }
> > +
> > + if (sb1.st_dev != sb2.st_dev || sb1.st_ino != sb2.st_ino) {
> > + fprintf(stderr, "%s: %s: Mount point moved during fuse startup.\n",
> > + mo->msgtag, mo->mountpoint);
> > + ret = -1;
> > + goto out_fd;
> > + }
> > +
> > + /*
> > + * We reopened the same file with write access, everything is ok. Swap
> > + * the two file descriptors so that we retain our write access.
> > + */
> > + ret = mo->mountfd;
> > + mo->mountfd = fd;
> > + fd = ret;
> > + ret = 0;
> > +out_fd:
> > + close(fd);
> > + return ret;
> > +}
> > +
> > static int mount_service_handle_mount_cmd(struct mount_service *mo,
> > struct fuse_service_packet *p,
> > size_t psz)
> > @@ -1471,6 +1573,44 @@ static int mount_service_handle_mount_cmd(struct mount_service *mo,
> > return mount_service_send_reply(mo, EINVAL);
> > }
> >
> > + /*
> > + * fuse.conf can limit the number of unprivileged fuse mounts.
> > + * For unprivileged mounts (via setuid) we also require write access
> > + * to the mountpoint, and we'll only accept certain underlying
> > + * filesystems.
> > + */
> > + if (getuid() != 0) {
> > + struct statfs fs_buf;
> > +
> > + ret = check_nonroot_mount_count(mo->msgtag);
> > + if (ret)
> > + return mount_service_send_reply(mo, EUSERS);
> > +
> > + ret = fstatfs(mo->mountfd, &fs_buf);
> > + if (ret) {
> > + int error = errno;
> > +
> > + fprintf(stderr, "%s: %s: %s\n",
> > + mo->msgtag, mo->mountpoint, strerror(error));
> > + return mount_service_send_reply(mo, error);
> > + }
> > +
> > + drop_privs();
> > + if (S_ISDIR(stbuf.st_mode))
> > + ret = check_nonroot_dir_access(mo->msgtag,
> > + mo->mountpoint,
> > + mo->real_mountpoint,
> > + &stbuf);
> > + else
> > + ret = check_nonroot_file_access(mo);
> > + if (!ret)
> > + ret = check_nonroot_fstype(mo->msgtag, &fs_buf);
> > + restore_privs();
> > +
> > + if (ret)
> > + return mount_service_send_reply(mo, EPERM);
Codex points out that fusermount grumps and sets MS_NOSUID|MS_NODEV
unconditionally, so we should do that too. I see that there's a
"mount_flags" table in fusermount.c, so I'll use that as the basis for
forcing flags.
--D
> > + }
> > +
> > if (mo->fsopenfd >= 0) {
> > ret = mount_service_fsopen_mount(mo, oc, &stbuf);
> > if (ret != FUSE_MOUNT_FALLBACK_NEEDED)
> > @@ -1601,6 +1741,10 @@ int mount_service_main(int argc, char *argv[])
> > else
> > mo.msgtag = "mount.service";
> >
> > + drop_privs();
> > + read_conf(mo.msgtag);
> > + restore_privs();
> > +
> > ret = mount_service_init(&mo, argc, argv);
> > if (ret)
> > return EXIT_FAILURE;
> >
> >
>
next prev parent reply other threads:[~2026-04-17 22:01 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-09 22:20 [PATCHSET v4] libfuse: run fuse servers as a contained service Darrick J. Wong
2026-04-09 22:20 ` [PATCH 01/13] Refactor mount code / move common functions to mount_util.c Darrick J. Wong
2026-04-09 22:21 ` [PATCH 02/13] mount_service: add systemd/inetd socket service mounting helper Darrick J. Wong
2026-04-14 1:00 ` Darrick J. Wong
2026-04-14 23:48 ` Darrick J. Wong
2026-04-17 23:19 ` Darrick J. Wong
2026-04-09 22:21 ` [PATCH 03/13] mount_service: create high level fuse helpers Darrick J. Wong
2026-04-14 23:58 ` Darrick J. Wong
2026-04-09 22:21 ` [PATCH 04/13] mount_service: use the new mount api for the mount service Darrick J. Wong
2026-04-17 22:03 ` Darrick J. Wong
2026-04-09 22:21 ` [PATCH 05/13] mount_service: update mtab after a successful mount Darrick J. Wong
2026-04-09 22:22 ` [PATCH 06/13] util: hoist the fuse.conf parsing and setuid mode enforcement code Darrick J. Wong
2026-04-09 22:22 ` [PATCH 07/13] util: fix checkpatch complaints in fuser_conf.[ch] Darrick J. Wong
2026-04-09 22:22 ` [PATCH 08/13] mount_service: enable unprivileged users in the same manner as fusermount Darrick J. Wong
2026-04-14 23:53 ` Darrick J. Wong
2026-04-17 22:01 ` Darrick J. Wong [this message]
2026-04-09 22:22 ` [PATCH 09/13] mount.fuse3: integrate systemd service startup Darrick J. Wong
2026-04-17 22:41 ` Darrick J. Wong
2026-04-09 22:23 ` [PATCH 10/13] mount_service: allow installation as a setuid program Darrick J. Wong
2026-04-09 22:23 ` [PATCH 11/13] example/service_ll: create a sample systemd service fuse server Darrick J. Wong
2026-04-14 23:56 ` Darrick J. Wong
2026-04-17 21:56 ` Darrick J. Wong
2026-04-09 22:23 ` [PATCH 12/13] example/service: create a sample systemd service for a high-level " Darrick J. Wong
2026-04-09 22:23 ` [PATCH 13/13] nullfs: support fuse systemd service mode Darrick J. Wong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260417220127.GE7727@frogsfrogsfrogs \
--to=djwong@kernel.org \
--cc=bernd@bsbernd.com \
--cc=bschubert@ddn.com \
--cc=joannelkoong@gmail.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=neal@gompa.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox