From: Ralph Corderoy <ralph@in...> - 2008-05-24 18:11:43
On Ubuntu 8.04, we've ~/.gvfs for users of the gnome desktop.
$ cd && df .gvfs && mount | grep gvfs
Filesystem 1K-blocks Used Available Use% Mounted on
gvfs-fuse-daemon 12626332 5147228 7479104 41% /home/ralph/.gvfs
gvfs-fuse-daemon on /home/ralph/.gvfs type fuse.gvfs-fuse-daemon (rw,nosuid,nodev,user=ralph)
This causes problems because it breaks the normal Unix paradigm of root
can access anything. I understand why, so a plebeian user can't
introduce a DoS as described in Documentation/filesystems/fuse.txt, but
it's causing existing well-behaved jobs, e.g. using tar as root to
backup /home, to fail.
$ sudo tar cf /dev/null .gvfs .bash_profile
tar: .gvfs: Cannot stat: Permission denied
tar: Error exit delayed from previous errors
$ echo $?
Adding tar's --one-file-system in this particular case doesn't help
since the stat must still occur before tar can spot it's a different
I'm aware of the allow_* options to fusermount but I'm not quite clear
if the allow_root one will help. Where's the best description of these?
It isn't fusermount(1).
I wondered if another option would be for root to see an empty directory
that's another filesystem. This would mean that options to avoid
crossing filesystem boundaries, e.g. find's -xdev, would work and
things that didn't check would only see an empty directory anyway so
they couldn't be DoS by whatever the user had mounted there.
I'd welcome FUSE opinion on this, I'm just someone bitten by it that's
trying to gather information for bugs like
BTW, this issue of DoS by a pleb. Since Ubuntu allows users to mount
some media, e.g. a USB flash drive or ISO CD, couldn't I concoct a
faulty filesystem that had a directory tree loop or similar so a naieve
program would find an infinite depth? If so, the system isn't protected
from that so perhaps the FUSE protection is overkill?