From: Tejun Heo <tj@kernel.org>
To: Miklos Szeredi <miklos@szeredi.hu>
Cc: greg@kroah.com, fuse-devel@lists.sourceforge.net,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 5/7] FUSE: implement ioctl support
Date: Fri, 29 Aug 2008 10:12:16 +0200 [thread overview]
Message-ID: <48B7AF60.8040709@kernel.org> (raw)
In-Reply-To: <E1KYyt9-0005Ur-Eu@pomaz-ex.szeredi.hu>
Miklos Szeredi wrote:
> On Fri, 29 Aug 2008, Tejun Heo wrote:
>> I'm not worried about the client accessing wrong memory regions or even
>> corrupting it. It's pointless to try to protect against that. From the
>> calling process's POV, it runs the same risk whether it calls an
>> in-kernel ioctl or a CUSE one and FUSE already has sufficient protection
>> against allowing unprivileged FS implementation to serve other users.
>
> Yes and no. Fuse allows this protection to be relaxed
> (-oallow_other), because it does provide quite good privilege
> separation. This ioctl thing breaks that, so we should disable ioctls
> with 'allow_other' or require the filesystem to be privileged. But
> the latter is not easy because mount(2) is always privileged, we don't
> know if the process calling fusermount was privileged or not.
>
> So, your current patch actually _introduces_ a security vulnerability
> with the 'allow_other' mount option.
Ah.. right. allow_other. Yeah, restricting ioctl implementation only
to root or !allow_other sounds like a good idea.
>> What I'm worried about is the possibility of CUSE client being able to
>> break out of that privilege protection which is currently ensured by the
>> kernel.
>
> What do you call client? If you mean the app using the char dev, then
> I don't see how it could break out of any protection.
I first used 'server' for userland [FC]USE server but then I noticed
there were places in FUSE they were referred as clients so now I use
'client' for those and call the app using the FUSE fs the 'caller'.
What are the established terms?
Anyways, doing it directly from the server (or is it client) opens up a
lot of new possibilities to screw up and I'd really much prefer staying
in similar ballpark with other operations. Maybe we can restrict it to
two stages (query size & transfer) and linear consecutive ranges but
then again adding retry doesn't contribute too much to the complexity.
Oh.. and BTW, the in-ioctl length coding is not used universally, so it
can't be depended upon.
>> Also, what about containers? How would it work then?
>
> Dunno. Isn't there some transformation of pids going on, so that the
> global namespace can access pids in all containers but under a
> different alias? I do hope somethinig like this works, otherwise it's
> not only fuse that will break.
I'm not sure either. Any idea who we should be asking about it?
Thanks.
--
tejun
next prev parent reply other threads:[~2008-08-29 8:13 UTC|newest]
Thread overview: 82+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-08-28 17:40 [PATCHSET] FUSE: extend FUSE to support more operations Tejun Heo
2008-08-28 17:40 ` [PATCH 1/7] FUSE: add include protectors Tejun Heo
2008-08-28 17:40 ` [PATCH 2/7] FUSE: pass nonblock flag to client Tejun Heo
2008-08-28 17:40 ` [PATCH 3/7] FUSE: implement nonseekable open Tejun Heo
2008-08-28 17:41 ` [PATCH 4/7] FUSE: implement direct lseek support Tejun Heo
2008-08-28 17:41 ` [PATCH 5/7] FUSE: implement ioctl support Tejun Heo
2008-08-28 17:51 ` Greg KH
2008-08-28 17:59 ` Tejun Heo
2008-08-28 18:01 ` Tejun Heo
2008-08-28 18:13 ` Miklos Szeredi
2008-08-28 18:17 ` Tejun Heo
2008-08-28 18:23 ` Miklos Szeredi
2008-08-28 18:34 ` Tejun Heo
2008-08-28 19:25 ` Miklos Szeredi
2008-08-28 19:42 ` Tejun Heo
2008-08-28 20:02 ` Miklos Szeredi
2008-08-29 2:19 ` Tejun Heo
2008-08-29 7:59 ` Miklos Szeredi
2008-08-29 8:12 ` Tejun Heo [this message]
2008-08-29 8:29 ` Miklos Szeredi
2008-08-29 9:03 ` Tejun Heo
2008-08-29 19:17 ` Eric W. Biederman
2008-08-29 19:47 ` Arnd Bergmann
2008-08-30 11:40 ` Tejun Heo
2008-09-01 11:57 ` Miklos Szeredi
2008-09-01 12:03 ` Tejun Heo
2008-09-03 14:32 ` Eric W. Biederman
2008-09-03 14:40 ` Tejun Heo
2008-09-03 21:51 ` Eric W. Biederman
2008-09-04 0:09 ` Tejun Heo
2008-08-29 11:31 ` [fuse-devel] " Roger Willcocks
2008-08-29 11:54 ` Tejun Heo
2008-08-28 20:48 ` Alan Cox
2008-08-28 18:02 ` Tejun Heo
2008-08-28 18:14 ` Greg KH
2008-08-28 18:25 ` Tejun Heo
2008-08-28 18:20 ` H. Peter Anvin
2008-08-28 18:28 ` Tejun Heo
2008-08-28 19:08 ` H. Peter Anvin
2008-08-28 19:18 ` Miklos Szeredi
2008-08-28 20:21 ` H. Peter Anvin
2008-08-28 20:55 ` Miklos Szeredi
2008-08-28 21:27 ` H. Peter Anvin
2008-08-29 7:32 ` Miklos Szeredi
2008-08-28 17:41 ` [PATCH 6/7] FUSE: implement unsolicited notification Tejun Heo
2008-08-28 17:41 ` [PATCH 7/7] FUSE: implement poll support Tejun Heo
2008-08-28 18:20 ` [PATCHSET] FUSE: extend FUSE to support more operations Miklos Szeredi
2008-08-28 18:23 ` Tejun Heo
2008-10-14 8:21 ` Tejun Heo
2008-10-14 9:37 ` Miklos Szeredi
2008-10-14 12:16 ` [fuse-devel] " Szabolcs Szakacsits
2008-10-14 12:43 ` Miklos Szeredi
[not found] ` <2cff7cb50810141032m5793a405h7425dfa122fb67ba@mail.gmail.com>
2008-10-14 21:04 ` Miklos Szeredi
2008-11-12 8:41 ` Tejun Heo
2008-11-12 9:14 ` Christoph Hellwig
2008-11-12 9:30 ` Tejun Heo
2008-11-12 9:36 ` Miklos Szeredi
2008-11-12 9:43 ` [fuse-devel] " Mike Hommey
2008-11-12 10:00 ` Miklos Szeredi
2008-11-13 5:54 ` Tejun Heo
2008-11-13 6:06 ` Tejun Heo
2008-11-13 11:19 ` Miklos Szeredi
2008-11-13 11:29 ` Tejun Heo
2008-11-13 11:57 ` Miklos Szeredi
2008-11-13 12:14 ` Tejun Heo
2008-11-13 6:26 ` Tejun Heo
2008-11-13 11:47 ` Miklos Szeredi
2008-11-13 11:54 ` Tejun Heo
2008-11-13 11:58 ` Miklos Szeredi
2008-11-13 12:34 ` Miklos Szeredi
2008-11-13 13:23 ` Tejun Heo
2008-11-13 13:42 ` Miklos Szeredi
2008-11-13 14:29 ` Tejun Heo
2008-11-13 14:48 ` Miklos Szeredi
2008-11-13 15:10 ` Tejun Heo
2008-11-13 15:52 ` Miklos Szeredi
2008-11-13 16:00 ` Tejun Heo
2008-11-17 9:17 ` Tejun Heo
2008-11-17 10:16 ` [fuse-devel] " Miklos Szeredi
2008-11-18 3:32 ` Tejun Heo
2008-11-18 9:33 ` Miklos Szeredi
2008-11-18 10:30 ` Tejun Heo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48B7AF60.8040709@kernel.org \
--to=tj@kernel.org \
--cc=fuse-devel@lists.sourceforge.net \
--cc=greg@kroah.com \
--cc=linux-kernel@vger.kernel.org \
--cc=miklos@szeredi.hu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).